LockBit hacked! Deface dei loro siti ed esposizione dei dati degli affiliati!
La scorsa notte, il gruppo ransomware LockBit ha subito un grave attacco informatico che ha compromesso la sua infrastruttura nel dark web. Gli affiliati e gli amministratori del gruppo hanno trovato i loro pannelli di controllo compromessi e le home modificate con il messaggio: “Don’t do crime CRIME IS BAD xoxo from Prague”, accompagnato da un link per scaricare un file denominato “paneldb_dump.zip” contenente un dump del database MySQL del gruppo.
L’archivio trapelato include informazioni altamente sensibili, tra cui:
- 59.975 indirizzi Bitcoin utilizzati per le transazioni del gruppo.
- 4.442 messaggi di negoziazione tra LockBit e le sue vittime, datati tra dicembre 2024 e aprile 2025.
- Configurazioni dei ransomware utilizzati negli attacchi, inclusi dettagli su quali file o sistemi evitare.
- Elenco di 75 affiliati e amministratori, con password in chiaro come “Weekendlover69” e “Lockbitproud231”.
Il leader del gruppo, noto come “LockBitSupp”, ha confermato la violazione, affermando che non sono state compromesse chiavi private o dati critici.
Da un’analisi veloce del dump SQL abbiamo notato che il database è stato esfiltrato il 29 Aprile, quindi possiamo ragionevolmente supporre che in quella data xoxo From Prague (o chiunque ci sia dietro a questo data leak) abbia dumpato il database e solo nella notte fra il 7 e l’8 Maggio sia stato eseguito il deface dei siti.
Questo attacco rappresenta un duro colpo per LockBit, già indebolito da precedenti operazioni delle forze dell’ordine, come “Operation Cronos”, che aveva portato al sequestro di server, arresti e sanzioni internazionali.
La fuga di dati offre agli esperti di sicurezza e alle autorità un’opportunità unica per analizzare le operazioni interne di LockBit e potrebbe accelerare ulteriori azioni legali contro i suoi membri.
Per adesso chiudiamo l’articolo con una dichiarazione di LockBitSUP
!!! LockBitSupp statement: “It’s Not Scary to Fall – It’s Scary Not to Get Up”
L'articolo LockBit hacked! Deface dei loro siti ed esposizione dei dati degli affiliati! proviene da il blog della sicurezza informatica.
Jellybean Mac Hides Modern PC
The iMac G3 is an absolute icon of industrial design, as (or perhaps more) era-defining than the Mac Classic before it. In the modern day, if your old iMac even boots, well, you can’t do much with it. [Rick Norcross] got a hold of a dead (hopefully irreparable) specimen, and stuffed a modern PC inside of it.
From the outside, it’s suprizingly hard to tell. Of course the CRT had to go, replaced with a 15″ ELO panel that fits well after being de-bezeled. (If its resolution is only 1024 x 768, well, it’s also only 15″, and that pixel density matches the case.) An M-ATX motherboard squeezes right in, above a modular PSU. Cooling comes from a 140 mm case fan placed under the original handle. Of course you can’t have an old Mac without a startup chime, and [Rick] obliges by including an Adafruit FX board wired to the internal speakers, set to chime on power-up while the PC components are booting.
These sorts of mods have proven controversial in the past– certainly there’s good reason to want to preserve aging hardware–but perhaps with this generation of iMac it won’t raise the same ire as when someone guts a Mac Classic. We’ve seen the same treatment given to a G4 iMac, but somehow the lamp doesn’t quite have the same place in our hearts as the redoubtable jellybean.
Superconductivity News: What Makes Floquet Majorana Fermions Special for Quantum Computing?
Researchers from the USA and India have proposed that Floquet Majorana fermions may improve quantum computing by controlling superconducting currents, potentially reducing errors and increasing stability.
In a study published in Physical Review Letters that was co-authored by [Babak Seradjeh], a Professor of Physics at Indiana University Bloomington, and theoretical physicists [Rekha Kumari] and [Arijit Kundu], from the Indian Institute of Technology Kanpur, the scientists validate their theory using numerical simulations.
In the absence of room-temperature superconductors — the Holy Grail of superconductivity, everybody put your thinking caps on! — the low temperatures required lead to expense (for cooling) and errors (due to decoherence) which need to be managed. Using the techniques proposed by the study, quantum information may be modeled non-locally and be spread out spatially in a material, making it more stable and less error prone, immune to local noise and fluctuations.
Majorana fermions are named after Italian physicist [Ettore Majorana] who proposed them in 1937. Unlike most particles, Majorana fermions are their own antiparticles. In the year 2000 mathematical physicist [Alexei Kitaev] realized Majorana fermions can exist not only as elementary particles but also as quantum excitations in certain materials known as topological superconductors. Topological superconductors differ from regular superconductors in that they have unique, stable quantum states on their surface or edges that are protected by the material’s underlying topology.
Superconductivity is such an interesting phenomenon, where electrical resistance all but vanishes in certain materials when they are very cold. Usually to induce a current in a material you apply a voltage, or potential difference, in order to create the electrical pressure that results in the current. But in a superconductor currents can flow in the absence of an applied voltage. This is because of a peculiar quantum tunneling process known as the “Josephson effect”. It is hoped that by tuning the Josephson current using a superconductor’s “chemical potential” that we discover a new level of control over quantum materials.
Ettore Majorana picture: Mondadori Collection, Public domain.
Wireless USB Autopsy
It might seem strange to people like us, but normal people hate wires. Really hate wires. A lot. So it makes sense that with so many wireless technologies, there should be a way to do USB over wireless. There is, but it really hasn’t caught on outside of a few small pockets. [Cameron Kaiser] wants to share why he thinks the technology never went anywhere.
Wireless USB makes sense. We have high-speed wireless networking. Bluetooth doesn’t handle that kind of speed, but forms a workable wireless network. In the background, of course, would be competing standards.
Texas Instruments and Intel wanted to use multiband orthogonal frequency-division multiplexing (MB-OFDM) to carry data using a large number of subcarriers. Motorola (later Freescale), HP, and others were backing the competing direct sequence ultra-wideband or DS-UWB. Attempts to come up with a common system degenerated.
This led to two systems W-USB (later CF-USB) and CW-USB. CF-USB looked just like regular USB to the computer and software. It was essentially a hub that had wireless connections. CW-USB, on the other hand, had cool special features, but required changes at the driver and operating system level.
Check out the post to see a bewildering array of orphaned and incompatible products that just never caught on. As [Cameron] points out, WiFi and Bluetooth have improved to the point that these devices are now largely obsolete.
Of course, you can transport USB over WiFi, and maybe that’s the best answer, today. That is, if you really hate wires.
Allarme AgID: truffe SPID con siti altamente attendibili mettono in pericolo i cittadini
È stata individuata una campagna di phishing mirata agli utenti SPID dal gruppo del CERT-AgID, che sfrutta indebitamente il nome e il logo della stessa AgID, insieme al dominio recentemente registrato agidgov[.]com, non riconducibile all’Agenzia.
Il messaggio fraudolento, con oggetto “Sospensione imminente SPID: azione obbligatoria“, invita l’utente ad aggiornare la propria documentazione, inducendolo a cliccare su un pulsante etichettato “Aggiorna la Documentazione“, che rimanda al sito malevolo.
L’obiettivo della campagna è sottrarre le credenziali SPID delle vittime, insieme a copie di documenti di identità e a video registrati secondo istruzioni specifiche per la procedura di riconoscimento, come: “Guarda verso la telecamera. Rimani serio, poi sorridi“.
Azioni di contrasto
È stata richiesta la disattivazione del dominio malevolo al fine di prevenire ulteriori compromissioni. Gli IoC relativi alla campagna sono stati diramati attraverso il Feed IoC del CERT-AGID verso le strutture accreditate.
Si raccomanda di prestare sempre la massima attenzione a questo tipo di comunicazioni, in particolare quando contengono collegamenti ritenuti sospetti. Nel dubbio, è sempre possibile inoltrare le email ritenute
Phishing sempre più sofisticato: l’AI al servizio della truffa
Il fenomeno del phishing si è evoluto drasticamente negli ultimi anni, grazie anche all’impiego dell’intelligenza artificiale per generare siti web contraffatti quasi indistinguibili dagli originali. Questi portali imitano in modo sorprendentemente accurato la grafica, il linguaggio e il comportamento dei siti ufficiali di enti pubblici o aziende private, rendendo estremamente difficile per l’utente medio accorgersi del raggiro.
Nel caso specifico segnalato dal CERT-AGID, il dominio fraudolento agidgov[.]com riproduceva fedelmente il layout e i contenuti del sito dell’Agenzia per l’Italia Digitale, inducendo l’utente a inserire le proprie credenziali SPID in un ambiente che appariva del tutto legittimo.
Fidarsi… ma verificare
Per difendersi, non basta più fare attenzione ai soli errori grammaticali o ai loghi sgranati. È fondamentale conoscere le normali modalità operative delle agenzie e delle aziende:
- Le istituzioni pubbliche non richiedono mai via email o SMS l’inserimento diretto delle credenziali SPID.
- Diffidare da messaggi che inducono urgenza o paura per costringere l’utente ad agire impulsivamente.
- Se un messaggio o una pagina sembra sospetta, è sempre bene controllare l’indirizzo web (URL) e confrontarlo con quello ufficiale o, in caso di dubbio, contattare direttamente l’ente coinvolto tramite i canali ufficiali.
L'articolo Allarme AgID: truffe SPID con siti altamente attendibili mettono in pericolo i cittadini proviene da il blog della sicurezza informatica.
In Cina è Rivoluzione IA! 17 nuovi centri di ricerca accademici nati in un solo giorno
Il 6 maggio, l’Università Sun Yat-sen ha ospitato una conferenza dedicata allo sviluppo dell’intelligenza artificiale, durante la quale è stato ufficialmente inaugurato l’Istituto di Ricerca sull’Intelligenza Artificiale e annunciata la creazione di 17 nuovi centri di ricerca. Qian Depei, accademico dell’Accademia Cinese delle Scienze e primo preside della Facoltà di Informatica dell’università, presiederà il Comitato Accademico dell’Istituto.
Chen Hongbo, vicepresidente esecutivo dell’Istituto, ha spiegato che l’iniziativa integra le competenze scientifiche presenti nei vari dipartimenti dell’ateneo, articolandosi su tre livelli: “materia”, “fondamento” e “applicazione” dell’intelligenza artificiale.
L’obiettivo è affrontare le sfide strategiche nazionali, valorizzare i vantaggi industriali della Greater Bay Area e promuovere ambiti tecnologici chiave come i modelli multimodali di grandi dimensioni, i chip neuromorfici a basso consumo, i sistemi autonomi, l’economia a bassa quota e altri settori emergenti. Il fine ultimo è creare un ecosistema su larga scala che unisca industria, ricerca, accademia e applicazione.
La Cina sembra oramai oggi arrivata al pareggio con gli Stati Uniti, tanto che il NYT ha riportato questi traguardi raggiunti in appena 19 mesi da parte della Cina con un articolo che riporta “La posta in gioco di questa competizione è alta. Le principali aziende statunitensi hanno in gran parte sviluppato modelli di intelligenza artificiale proprietari e addebitato royalties per il loro utilizzo, in parte perché addestrare i loro modelli costa centinaia di milioni di dollari. Le aziende cinesi di intelligenza artificiale stanno espandendo la loro influenza rendendo disponibili gratuitamente i loro modelli al pubblico, che può utilizzarli, scaricarli e modificarli, rendendoli così più accessibili a ricercatori e sviluppatori di tutto il mondo.”
I 17 centri di ricerca copriranno una vasta gamma di settori interdisciplinari tra arti, scienze, medicina e ingegneria. Tra le aree di interesse figurano: calcolo scientifico ad alte prestazioni, fondamenti matematici dell’IA, chip e sistemi intelligenti, dispositivi di rilevamento ispirati al cervello umano, software intelligenti, modelli multi-agente e intelligenza incarnata, IA applicata ai big data medici e intelligenza collettiva.
Gao Song, presidente dell’Università e anch’egli accademico dell’Accademia Cinese delle Scienze, ha sottolineato il duplice approccio dell’ateneo: da un lato, rafforzare la ricerca teorica e lo sviluppo di tecnologie chiave come chip avanzati e software di base; dall’altro, utilizzare l’intelligenza artificiale per guidare un cambiamento di paradigma nella ricerca scientifica, promuovendo innovazioni tecnologiche rivoluzionarie in più settori.
Nel corso dell’evento è stato presentato anche il Piano di Lavoro per la Promozione dell’Intelligenza Artificiale, che include 15 iniziative suddivise in tre ambiti: formazione dei talenti, innovazione scientifica e tecnologica, e governance. L’università prevede di consolidare le risorse informatiche, migliorare i meccanismi di supporto e creare un ambiente favorevole per lo sviluppo dell’IA e la valorizzazione dei talenti.
Zhu Kongjun, segretario del comitato di partito dell’ateneo, ha dichiarato che, in quanto istituzione di riferimento della Greater Bay Area del Guangdong-Hong Kong-Macao, la Sun Yat-sen University si assume la responsabilità di guidare lo sviluppo strategico dell’IA, con un focus sull’autosufficienza tecnologica, sull’innovazione di base e sull’applicazione concreta al servizio degli obiettivi nazionali.
Fondato nel giugno 2020, l’Istituto di Ricerca sull’Intelligenza Artificiale ha ampliato ulteriormente le proprie attività nel dicembre 2024, entrando in piena operatività con una sede di oltre 40.000 metri quadrati e numerose piattaforme sperimentali di livello mondiale.
L'articolo In Cina è Rivoluzione IA! 17 nuovi centri di ricerca accademici nati in un solo giorno proviene da il blog della sicurezza informatica.
Big Chemistry: Cement and Concrete
Not too long ago, I was searching for ideas for the next installment of the “Big Chemistry” series when I found an article that discussed the world’s most-produced chemicals. It was an interesting article, right up my alley, and helpfully contained a top-ten list that I could use as a crib sheet for future articles, at least for the ones I hadn’t covered already, like the Haber-Bosch process for ammonia.
Number one on the list surprised me, though: sulfuric acid. The article stated that it was far and away the most produced chemical in the world, with 36 million tons produced every year in the United States alone, out of something like 265 million tons a year globally. It’s used in a vast number of industrial processes, and pretty much everywhere you need something cleaned or dissolved or oxidized, you’ll find sulfuric acid.
Staggering numbers, to be sure, but is it really the most produced chemical on Earth? I’d argue not by a long shot, when there’s a chemical that we make 4.4 billion tons of every year: Portland cement. It might not seem like a chemical in the traditional sense of the word, but once you get a look at what it takes to make the stuff, how finely tuned it can be for specific uses, and how when mixed with sand, gravel, and water it becomes the stuff that holds our world together, you might agree that cement and concrete fit the bill of “Big Chemistry.”
Rock Glue
To kick things off, it might be helpful to define some basic terms. Despite the tendency to use them as synonyms among laypeople, “cement” and “concrete” are entirely different things. Concrete is the finished building material of which cement is only one part, albeit a critical part. Cement is, for lack of a better term, the glue that binds gravel and sand together into a coherent mass, allowing it to be used as a building material.
It’s not entirely clear who first discovered that calcium oxide, or lime, mixed with certain silicate materials would form a binder strong enough to stick rocks together, but it certainly goes back into antiquity. The Romans get an outsized but well-deserved portion of the credit thanks to their use of pozzolana, a silicate-rich volcanic ash, to make the concrete that held the aqueducts together and built such amazing structures as the dome of the Pantheon. But the use of cement in one form or another can be traced back at least to ancient Egypt, and probably beyond.
Although there are many kinds of cement, we’ll limit our discussion to Portland cement, mainly because it’s what is almost exclusively manufactured today. (The “Portland” name was a bit of branding by its inventor, Joseph Aspdin, who thought the cured product resembled the famous limestone from the Isle of Portland off the coast of Dorset in the English Channel.)
Portland cement manufacturing begins with harvesting its primary raw material, limestone. Limestone is a sedimentary rock rich in carbonates, especially calcium carbonate (CaCO3), which tends to be found in areas once covered by warm, shallow inland seas. Along with the fact that limestone forms between 20% and 25% of all sedimentary rocks on Earth, that makes limestone deposits pretty easy to find and exploit.
Cement production begins with quarrying and crushing vast amounts of limestone. Cement plants are usually built alongside the quarries that produce the limestone or even right within them, to reduce transportation costs. Crushed limestone can be moved around the plant on conveyor belts or using powerful fans to blow the crushed rock through large pipes. Smaller plants might simply move raw materials around using haul trucks and front-end loaders. Along with the other primary ingredient, clay, limestone is stored in large silos located close to the star of the show: the rotary kiln.
Turning and Burning
A rotary kiln is an enormous tube, up to seven meters in diameter and perhaps 80 m long, set on a slight angle from the horizontal by a series of supports along its length. The supports have bearings built into them that allow the whole assembly to turn slowly, hence the name. The kiln is lined with refractory materials to resist the flames of a burner set in the lower end of the tube. Exhaust gases exit the kiln from the upper end through a riser pipe, which directs the hot gas through a series of preheaters that slowly raise the temperature of the entering raw materials, known as rawmix.
Preheating the rawmix drives off any remaining water before it enters the kiln, and begins the decomposition of limestone into lime, or calcium oxide:
The rotation of the kiln along with its slight slope results in a slow migration of rawmix down the length of the kiln and into increasingly hotter regions. Different reactions occur as the temperature increases. At the top of the kiln, the 500 °C heat decomposes the clay into silicate and aluminum oxide. Further down, as the heat reaches the 800 °C range, calcium oxide reacts with silicate to form the calcium silicate mineral known as belite:
Finally, near the bottom of the kiln, belite and calcium oxide react to form another calcium silicate, alite:
It’s worth noting that cement chemists have a specialized nomenclature for alite, belite, and all the other intermediary phases of Portland cement production. It’s a shorthand that looks similar to standard chemical nomenclature, and while we’re sure it makes things easier for them, it’s somewhat infuriating to outsiders. We’ll stick to standard notation here to make things simpler. It’s also important to note that the aluminates that decomposed from the clay are still present in the rawmix. Even though they’re not shown in these reactions, they’re still critical to the proper curing of the cement.
The final section of the kiln is the hottest, at 1,500 °C. The extreme heat causes the material to sinter, a physical change that partially melts the particles and adheres them together into small, gray lumps called clinker. When the clinker pellets drop from the bottom of the kiln, they are still incandescently hot. Blasts of air that rapidly bring the clinker down to around 100 °C. The exhaust from the clinker cooler joins the kiln exhaust and helps preheat the incoming rawmix charge, while the cooled clinker is mixed with a small amount of gypsum and ground in a ball mill. The fine gray powder is either bagged or piped into bulk containers for shipment by road, rail, or bulk cargo ship.
The Cure
Most cement is shipped to concrete plants, which tend to be much more widely distributed than cement plants due to the perishable nature of the product they produce. True, both plants rely on nearby deposits of easily accessible rock, but where cement requires limestone, the gravel and sand that go into concrete can come from a wide variety of rock types.
Concrete plants quarry massive amounts of rock, crush it to specifications, and stockpile the material until needed. Orders for concrete are fulfilled by mixing gravel and sand in the proper proportions in a mixer housed in a batch house, which is elevated above the ground to allow space for mixer trucks to drive underneath. The batch house operators mix aggregate, sand, and any other admixtures the customer might require, such as plasticizers, retarders, accelerants, or reinforcers like chopped fiberglass, before adding the prescribed amount of cement from storage silos. Water may or may not be added to the mix at this point. If the distance from the concrete plant to the job site is far enough, it may make sense to load the dry mix into the mixer truck and add the water later. But once the water goes into the mix, the clock starts ticking, because the cement begins to cure.
youtube.com/embed/mJyUUnjih1k?…
Cement curing is a complex process involving the calcium silicates (alite and belite) in the cement, as well as the aluminate phases. Overall, the calcium silicates are hydrated by the water into a gel-like substance of calcium oxide and silicate. For alite, the reaction is:
At the same time, the aluminate phases in the cement are being hydrated and interacting with the gypsum, which prevents early setting by forming a mineral known as ettringite. Without the needle-like ettringite crystals, aluminate ions would adsorb onto alite and block it from hydrating, which would quickly reduce the plasticity of the mix. Ideally, the ettringite crystals interlock with the calcium silicate gel, which binds to the surface of the sand and gravel and locks it into a solid.
Depending on which adjuvants were added to the mix, most concretes begin to lose workability within a few hours of rehydration. Initial curing is generally complete within about 24 hours, but the curing process continues long after the material has solidified. Concrete in this state is referred to as “green,” and continues to gain strength over a period of weeks or even months.
Quando l’AI Diventa Troppo Social: Il Caso Grok e la Manipolazione delle Immagini Femminili
La piattaforma X si è ritrovata nuovamente al centro di uno scandalo etico, questa volta a causa del comportamento del chatbot Grok, creato dall’azienda di Elon Musk. Gli utenti dei social network hanno iniziato a usare in massa l’intelligenza artificiale per “spogliare” le donne in pubblico. Tutto quello che devi fare è lasciare un commento con un’immagine e la frase “toglietele i vestiti” sotto la foto di qualcuno, e Grok creerà un’immagine modificata della donna in biancheria intima o in costume da bagno. In alcuni casi, invece di un’immagine, il bot fornisce un collegamento a una chat separata in cui avviene la generazione.
Questa accessibilità della funzione e la possibilità di avviarla direttamente nei commenti sotto i post pubblici rendono la situazione particolarmente tossica. Non stiamo parlando di siti specializzati con accesso a pagamento ai deepfake, ma di un normale social network, dove l’immagine diventa immediatamente una risposta al post originale della vittima. Anche se Grok non crea immagini completamente nude come altri bot, le conseguenze di queste immagini “semi-nude” non sono meno traumatiche.
Dal Kenya giungono le prime denunce di una nuova ondata di abusi. A quanto pare, è stato proprio lì che la funzione “spogliarsi” tramite Grok ha riscosso particolare popolarità all’inizio di maggio. I media locali hanno riferito che un gran numero di utenti si è lamentato di tali azioni. Una ricerca su Platform X rivela decine di tentativi simili rivolti alle donne che hanno pubblicato le loro foto. La protezione non è un’opzione. È una necessità.
I ricercatori sui diritti umani hanno pubblicato uno screenshot di Grok in azione e hanno chiesto direttamente all’IA di X se avesse adottato misure di sicurezza sistemiche, come filtri, errori di decodifica o apprendimento per rinforzo, per evitare di generare contenuti non etici. Grok ha risposto pubblicamente riconoscendo l’errore e affermando che l’incidente era dovuto a una protezione insufficiente contro le richieste dannose. Nella risposta si sottolinea che il team sta rivedendo le proprie politiche di sicurezza per migliorare la trasparenza e la tutela della privacy.
Tuttavia, nonostante le scuse, il bot ha continuato a soddisfare tali richieste. I tentativi di chiedere a Grok di “rendere una persona completamente nuda” si scontrano effettivamente con un rifiuto, ma le fasi intermedie, ovvero l’immagine di una donna in lingerie, restano per ora disponibili. L’IA accompagna addirittura alcune richieste respinte con spiegazioni circa l’inammissibilità di creare immagini con una totale violazione della privacy, sebbene aggiunga subito che l’immagine in biancheria intima è già stata generata.
Questo squilibrio nelle risposte del sistema evidenzia l’imperfezione dei filtri esistenti e la mancanza di reali limitazioni a livello di interfaccia utente. Tuttavia, l’amministrazione X non ha ancora commentato la situazione.
Molti utenti stanno già esprimendo apertamente la loro indignazione. Secondo loro, usare l’intelligenza artificiale per manipolare immagini di donne senza consenso non è intrattenimento tecnologico, ma una forma di violenza digitale. Alcuni paragonano ciò che sta accadendo a una violazione di massa dei confini, mascherata dall’interfaccia di un chatbot di tendenza.
L'articolo Quando l’AI Diventa Troppo Social: Il Caso Grok e la Manipolazione delle Immagini Femminili proviene da il blog della sicurezza informatica.
Magic On Your Desk via MagLev Toy
Magnets aren’t magic, but sometimes you can do things with them to fool the uninitiated — like levitating. [Jonathan Lock] does that with his new maglev desk toy, that looks like at least a level 2 enchantment.
In construction it is much like the commercial units you’ve seen: four permanent magnets that repel another magnet in the levitator. Since such an arrangement is about as stable as balancing a basketball on a piece of spaghetti, the permanent magnets are wrapped in control coils that pull the levitator back to the center on a 1 kHz loop. This is accomplished by way of a hall sensor and an STM32 microcontroller running a PID loop. The custom PCB also has an onboard ESP32, but it’s used as a very overpowered USB/UART converter to talk to the STM32 for tuning in the current firmware.
If you think one of these would be nice to have on your desk, check it out on [Jonathan]’s GitLab. It’s all there, from a detailed build guide (with easy-to-follow animated GIF instructions) to CAD files and firmware. Kudos to [Jonathan] for the quality write-up; sometimes documenting is the hardest part of a project, and it’s worth acknowledging that as well as the technical aspects.
We’ve written about magnetic levitation before, but it doesn’t always go as well as this project. Other times, it very much does. There are also other ways to accomplish the same feat, some of which can lift quite a bit more.
Can we fix the digital transatlantic relationship?
WELCOME BACK TO DIGITAL BRIDGE. I'm Mark Scott, and this weekend marked May 4th — also known as Star Wars Day, for those who follow such things. This video plays in my head every time I have to explain the Star Wars basics to a non-fan.
For anyone in Brussels on May 15, I'll be co-hosting a tech policy gathering in the EU Quarter. We're running a waiting list, so add your name here and we'll try to open up some more slots.
— The transatlantic relationship on tech is in the worst shape in decades. Here are some ways to improve it — even if wider political tension remain.
— A far-right candidate won the first round of Romania's presidential election. Europe has not responded well to the digital fall-out.
— Media freedom has been significantly curtailed over the last decade amid people's shift toward social media for their understanding of the world.
Let's get started:
LET'S BE CLEAR: THE TRANSATLANTIC RELATIONSHIP on tech is the worst I've seen in 20 years. The White House has already made clear it views European Union digital regulation as akin to protectionist tariffs, as well as an unfair check on free speech. The Berlaymont Building — home to the European Commission — has struggled to secure high-level meetings for its digital officials whenever they've made it to Washington. It also has doubled down on internal efforts to promote European economic interests over those from outside the bloc via public funds dedicated to the next generation of emerging technology.
In short, Brussels and Washington are talking past each other. Even when United States and EU officials disagreed — as they often did — in the past, there was always an informal line of communication between policymakers to ease tensions. That came from individuals, on both sides, who had invested a significant amount of personal capital in building ties with each other. People met at conferences. They swapped cellphone numbers. They built professional, and sometimes personal, relationships with their counterparts in each respective city.
I wouldn't say those networks are completely gone. But they are certainly on life support. It has left the world's two most important democratic powers at a crossroads. And on digital policymaking, I'm seeing more and more signs that the EU and other parts of the democratic world (with the significant exceptions of the United Kingdom and Japan) now willing to distance themselves from their one-time trusted ally.
But after I outlined that theory a couple of weeks ago in Digital Politics, many of you got in touch with a fair criticism. We get things are bad, went the emails. But where are the areas of common ground that can keep the (digital) embers alive — even if the transatlantic fire looks like it's going out?
Fair point. It's easy to criticize. It's harder to offer solutions. So here goes.
First, one chess piece worth taking off the board. In many European capitals, there's a growing interest in working directly with US state leaders, most notably governors who have taken on an increasing leadership position on tech just as Washington has given up that role. I wouldn't put my eggs in that basket — even if that could include working directly with California on areas like artificial intelligence standards and international data flow rules.
Thanks for reading the free monthly version of Digital Politics. Paid subscribers receive at least one newsletter a week. If that sounds like your jam, please sign up here.
Here's what paid subscribers read in April:
— Why digital services won't be on the front line of the unfolding global trade war; Donald Trump's extension of the TikTok sale/ban doesn't solve any of the underlying problems; How different generations consume online media. More here.
— The idea that any tech giant has a monopoly on social media misunderstands how we all use these platforms; What's behind Brussels' renewed attempt to "streamline" its digital rulebook; Annual corporate investment in AI has grown 13-fold over the last decade. More here.
— Non-US policymakers are seriously considering how to pull back from the US on tech; The transatlantic consensus that Google is a monopoly will have long-term consequences, but it will take time to play out; Digital-focused civil society groups worldwide have been hurt by cuts in US government support. More here.
— Canada's recent election shows the limits on how the online world can shape offline politics; How to understand the European Commission's collective $790 million antitrust fine against Meta and Apple; Brussels will spend $66 million this year to enforce its online safety regime. More here.
As much as many would like to bypass the current situation in Washington (and I mean the wider morass of nothingness on tech, excluding the recent Take it Down Act that will likely be signed by Donald Trump), few, if any, foreign governments are willing to publicly push ahead with such US state-based digital diplomacy out of fear of negating decades-old international norms that national governments speak to other national governments on such foreign policy issues. Basically, working directly with US states is a non-starter for most non-US government officials.
OK, so where can we find common ground? Weirdly, antitrust policy feels like the most secure US-EU digital issue where both sides are forging ahead with a new collective consensus. Yes, the White House may not like the EU's Digital Markets Act (though it has remained mostly quiet about the recent fines against Meta and Apple, respectively.) And yes, many EU competition officials look at the decades of Washington's stalled antitrust investigations into Big Tech as a sign the US is too slow and/or too unwilling to act.
But in the last five years, there's been a growing consensus across the Atlantic that 1) parts of Silicon Valley have abused their market dominance; 2) consumers and smaller rivals have been unfairly affected by those actions; and 3) aggressive antitrust enforcement — including the potential break-up of some of these tech companies — is the only way to re-level the market.
If that doesn't sound like a first step toward a rekindled transatlantic relationship on tech, then I don't know what does.
Next, to the thorniest of topics: platform governance. Trump's aversion to European-style online safety rules is well-known. It was mostly shared by his Republican and Democratic predecessors in the White House. Brussels, too, hates the fact its internal media landscape is dominated by the likes of Instagram and YouTube.
But where both sides equally agree is that more needsto be done to protect minors for online predatory behavior, scams and potentially abusive content algorithms that have led to a series of EU and US efforts aimed at boosting digital child safety. Yes, this is not a like-for-like comparison. Some in the US have given parents too much control over what their kids can see on social media. Some in the EU want to impose age verification standards — in the name of child safety — that would fundamentally undermine how the current internet works.
But the basic premise — that children must be better protected as they navigate the online world — is an issue that both sides of the current transatlantic divide can agree on. What better way to maintain some form of ongoing EU-US relationship on tech?
The third area goes out to all the uber-wonks among us. Washington and Brussels should double down on the geekiest of digital technocratic standards as a means of bridging the political divide. That includes technical discussions that have thrived, for decades, in international and multi-stakeholder organizations like the 3rd Generation Partnership Project, or 3GPP, which sets global standards for telecommunications networks. Yes, I told you this stuff was geeky.
That would allow European and US officials — and, by extension companies — to continue talking, even if their political masters ratchet up the transatlantic trade dispute. It would also provide a greater level of certainty for American and EU businesses to invest in the digital world which is, according to both Brussels and Washington, an ongoing political objective.
So there you have it: competition, child safety and tech standards. Three areas that could be a foundation for ongoing talks and cooperation amid an increasingly geopolitical period. Runners-up tech topics also include: cybersecurity, defense and data flows. If you're interested in me unpacking those, let me know here.
The $64 million question is whether Washington and Brussels are willing and/or able to see beyond their short-term political fight to allow apolitical officials to continue the digital work they've been doing for years.
In normal circumstances, I would certainly hope so. But as anyone who has spent time in either Brussels or Washington this year will attest to, we're not living in normal circumstances. And even the hope of finding non-partisan digital topics upon which the transatlantic relationship can be rekindled feels more like a hope, currently, than a legitimate policymaking objective.
For some bonus content, here are my latest pieces for Tech Policy Press on how the US is pulling back from its global leadership on digital policy and how the EU is embracing its inner Trump, on tech, to Make Europe Great Again.
Chart of the Week
REPORTERS WITHOUT BORDERS, a nonprofit organization, compiles a yearly index that tracks five indicators — security, social, legislative, political and economic — on the health of countries' domestic media ecosystems.
The last decade has not been good. The chart on the left, from 2013, highlights that while the likes of China and Saudi Arabia scored poorly across the board, democratic states — including the majority of Europe and North America — were still viewed as "satisfactory" (the light orange color.)
Fast forward to 2025, and many of those democratic countries, including the US, have fallen (see chart on the right) into the "problematic" category (the dark orange color). That includes many parts of Central and Eastern Europe, too.
Source: World Press Freedom Index
What happened in Romania? Take Two
AS DIGITAL POLITICS WENT TO PRESS on May 4, George Simion, a far-right ultra-nationalist politician, had won the first round of Romania's presidential election. The leader of the anti-vaccine Alliance for the Union of Romanians secured 41 percent of the vote — less than the majority Simion would need to win outright. He will now face a run-off, on May 18, with Nicușor Dan, the mayor of Bucharest, garnered 21 percent of the first round vote.
For the latest on Romania's presidential election, see here, here and here.
The reason Romania is holding a do-over on its presidential election is because of claims, during the previous vote in November, that pro-Russian politician Calin Georgescu unfairly used TikTok to woo voters in his unlikely first-round victory. The ultra-nationalist politician came out of the blue to top the first-round poll, and national regulators accused the China-linked platform of failing to uphold the country's electoral rules.
In an unprecedented step, Romania's intelligence services then released redacted documents (overview here) accusing foreign actors (they didn't mention Russia, but that was the inference) of conducting 85,000 cyberattacks on the country's election infrastructure. They also suggested there was a cross-platform influence operation involving pro-Georgescu Telegram channels that coordinated messages which people could then post to TikTok and Facebook. The spooks said similar tactics had been used in Ukraine — but, again, Moscow was never specifically mentioned in the redacted documents.
Digital Politics now reaches thousands of tech-savvy readers worldwide. If you're interested in sponsoring the newsletter, get in touch here.
Not surprisingly, TikTok pushed back hard against accusations it had any role in Romania's last presidential election. It released a series of cherry-picked reports (see here and here) about how the platform had removed spam accounts, promoted authoritative information to voters and took down waves of false likes and follow requests.
In December, a senior Romanian court annulled Georgescu's presidential first-round win, in part because of the declassified intelligence documents. That same month, the European Commission opened an investigation into TikTok's role in the Romanian vote, focusing on how the tech giant may have failed to mitigate election-related risks. In February, Georgescu was placed under investigation for mostly potential campaign financing irregularities. And in March, he was barred from standing in this week's presidential re-run.
I get it. That's a lot to take in — especially for most of us who are not Romanian politics experts.
But what is central to the wider digital debate is that a presidential election of democratic European country was annulled based on unsubstantiated claims that one of the candidates had unfairly benefited from a social media campaign that, potentially, had ties to Russia. That then led to both domestic and EU investigations into campaign financing irregularities and the role of a foreign-owned social media platform in a European country's nationwide vote.
To date, no one has yet to be convicted of a crime. Brussels has yet to publish any evidence of TikTok's role in allowing a coordinated influence campaign to flourish on its platform ahead of the November election.
If true, both sets of accusations — related to Georgescu's alleged campaign financing issues and TikTok's role in the November presidential election — would be grounds for potentially annulling the first-round presidential election. And there is an argument that given the speed of events, local judges and the European Commission had no choice but to step in, even if no actual evidence had yet to be shown to a court to prove any of the accusations.
But my fear is that in annulling the first round election in November, and then barring Georgescu from standing in this weekend's vote, Romania's court has given ultranationalists and pro-Russian politicians an easy victory in the battle for hearts-and-minds.
Sign up for Digital Politics
Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.
Subscribe
Email sent! Check your inbox to complete your signup.
No spam. Unsubscribe anytime.
Simion, another far-right ultra-nationalist politician, came first in the latest first-round presidential vote — and was closer to the 50 percent mark to secure an outright victory than many had expected. It's hard to argue there isn't a public groundswell of support for such opinions, now that similar pro-Russian presidential candidates have topped the polls in consecutive votes. And yes, TikTok was used again to communicate with voters. But its role in this weekend's election, based on what has been made public, was not significant compared to other means of reaching would-be supporters.
In jumping headlong into Romania's domestic politics, the European Commission also has over-stepped its role within the bloc's online safety regime, known as the Digital Services Act. Those rules do have a remit when it comes to election-related matters.
But by pulling the emergency cord in response to November's now-annulled election — via its ongoing investigation into TikTok's role in that vote — Brussels has made it easier for critics to claim the EU is willing to use its digital regulation to change voting decisions that officials in Brussels do not agree with.
I get it. That's not what is happening with the ongoing TikTok probe. But the perception for many on the outside is that the European Commission is weaponizing the Digital Services Act as part of efforts to nudge Romanians to vote against pro-Russian, far-right politicians.
That's just not a good look for the 27-country bloc as both domestic and non-EU influencers ramp up claims that Europe's online safety rules are an anti-democratic effort to censor online voices with whom it disagrees.
What I'm reading
— The Future of Privacy Forum breaks down all you need to know about South Korea's new AI regulatory framework. More here.
— Ireland's Data Protection Commission fined TikTok $600 million for failing to protect Europe's data via data transfer to China. TikTok's response here.
— International Association of Privacy Professionals explains why Colorado is reconsidering its approach to regulating artificial intelligence. More here.
— Researchers from the University of Zurich used AI-generated content in online discussions on Reddit to see if such content could change people's minds. The study received significant pushback for failing to gain consent of the people targeted by the AI-generated content. More here and here.
— The DSA40 Data Access Collaboratory published an in-depth FAQ on how Europe's online safety rules allow independent researchers to access platform data. More here.
State of ransomware in 2025
Global ransomware trends and numbers
With the International Anti-Ransomware Day just around the corner on May 12, Kaspersky explores the ever-changing ransomware threat landscape and its implications for cybersecurity. According to Kaspersky Security Network data, the number of ransomware detections decreased by 18% from 2023 to 2024 – from 5,715,892 to 4,668,229. At the same time, the share of users affected by ransomware attacks increased by 0.02 p.p. to 0.44%. This smaller percentage compared to other cyberthreats is explained by the fact that attackers often don’t distribute this type of malware on a mass scale, but prioritize high-value targets, which reduces the overall number of incidents.
That said, if we look at incidents at organizations requiring immediate incident response services that were mitigated by Kaspersky’s Global Emergency Response Team (GERT), we’ll see that 41.6% of them were related to ransomware in 2024, compared to 33.3% in 2023. Targeted ransomware is likely to remain the primary threat to organizations around the world for the foreseeable future.
Below are some of the global trends that Kaspersky observed with ransomware in 2024.
Ransomware-as-a-Service (RaaS) dominance
The RaaS model remains the predominant framework for ransomware attacks, fueling their proliferation by lowering the technical barrier for cybercriminals. In 2024, RaaS platforms like RansomHub thrived by offering malware, technical support and affiliate programs that split the ransom (e.g., 90/10 for affiliates/core group). This model enables less-skilled actors to execute sophisticated attacks, contributing to the emergence of multiple new ransomware groups in 2024 alone. While traditional ransomware still exists, the scalability and profitability of RaaS make it the primary engine, with platforms evolving to include services such as initial access brokering and data exfiltration, ensuring its dominance into 2025.
Some groups continue to go cross-platform, while Windows remains the primary target
Many ransomware attacks still target Windows-based systems, reflecting the operating system’s widespread use in enterprise environments. The architecture of Windows, combined with vulnerabilities in software such as Remote Desktop Protocol (RDP) and unpatched systems, makes it a prime target for ransomware executables. In recent years, however, some attackers have diversified, with groups like RansomHub and Akira developing variants for Linux and VMware systems, particularly in cloud and virtualized environments. While Windows remains the epicenter, the growing focus on cross-platform ransomware signals a shift toward exploiting diverse infrastructures, especially as organizations adopt hybrid and cloud setups. This is not a new trend, and we expect it to persist in the coming years.
Overall ransomware payments down, average ransom payment up
According to Chainalysis, ransomware payments dropped significantly in 2024 to approximately $813.55 million, down 35% from a record $1.25 billion in 2023. On the other hand, Sophos reports that the average ransom payment surged from $1,542,333 in 2023 to $3,960,917 in 2024, reflecting a trend of targeting larger organizations with higher demands. This report also highlights that more organizations paid ransoms to get their data back, although other reports indicate that fewer organizations paid ransoms than in 2023. For example, according to Coveware, a company that specializes in fighting ransomware, the payment rate hit a record low of 25% in Q4 2024, down from 29% in Q4 2023, driven by law enforcement crackdowns, improved cybersecurity and regulatory pressures discouraging payments.
While encryption remains a core component of many ransomware attacks, the primary goal for some groups has shifted or expanded beyond locking data
In 2024, cybercriminals increasingly prioritized data exfiltration alongside, or sometimes instead of, encryption, focusing on stealing sensitive information to maximize leverage and profits or even extending threats to third parties such as customers, partners, suppliers, etc. Encryption is still widely used, but the rise of double and triple extortion tactics shows a strategic pivot. RansomHub and most modern ransomware groups often combine encryption with data theft, threatening to leak or sell stolen data if a ransom is not paid, making exfiltration a critical tactic.
Dismantled or disrupted ransomware actors in 2024
Several major ransomware groups faced significant disruptions in 2024, though the ecosystem’s resilience limited the long-term impact. LockBit, responsible for 27.78% of attacks in 2023, was hit hard by Operation Cronos in February 2024, with law enforcement seizing its infrastructure, arresting members and unmasking its leader, Dmitry Khoroshev. However, despite these efforts, LockBit relaunched its operations and remained active throughout 2024.
ALPHV/BlackCat, another prolific group, was dismantled after an FBI operation in December 2023, though affiliates migrated to other groups such as RansomHub. The Radar/Dispossessor operation was disrupted by the FBI in August 2024, and German authorities seized 47 cryptocurrency exchanges linked to ransomware laundering. Despite these takedowns, groups like RansomHub and Play quickly filled the void, underscoring the challenge of eradicating ransomware networks. However, according to the latest research, the RansomHub group presumably paused their operations as of April 1, 2025.
Some groups disappear, others pick up their work
When ransomware groups disband or disappear, their tools, tactics and infrastructure often remain accessible in the cybercriminal ecosystem, allowing other groups to adopt and enhance them. For example, groups like BlackMatter or REvil, after facing pressure from law enforcement, saw their code and methods reused by successors like BlackCat, which in turn was followed by Cicada3301. Disappearing groups may also sell their source code, exploit kits or affiliate models on dark web forums, enabling emerging or existing gangs to repurpose these resources. In addition, malicious tools are sometimes leaked to the internet, as was the case with LockBit 3.0. As a result, many smaller groups or individuals unrelated to the ransomware developers, including hacktivists and low-skilled cybercriminals, get hold of these tools and use them for their own purposes. This cycle of knowledge transfer accelerates the evolution of ransomware as new actors build on proven strategies, adapt to countermeasures, and exploit vulnerabilities faster than defenders can respond. In telemetry, these new groups using old toolkits can be identified as old groups (e.g., LockBit).
Ransomware groups increasingly developing their own custom toolkits
This is done to increase the effectiveness of their attacks and avoid detection. These toolkits often include exploitation tools, lateral movement tools, password attack tools, etc. that are tailored to specific targets or industries. By creating proprietary tools, these groups reduce their reliance on widely available, detectable exploits and maintain control over their operations. This in-house development also facilitates frequent updates to counter defenses and exploit new vulnerabilities, making their attacks more resilient and harder for cybersecurity measures to mitigate.
General vs. targeted ransomware share
Targeted ransomware attacks, aimed at specific organizations for maximum disruption and payout, focus on high-value targets such as hospitals, financial institutions and government agencies, leveraging reconnaissance and zero-day exploits for precision. General ransomware, which spreads indiscriminately via phishing or external devices, often affects smaller businesses or individuals with weaker defenses. The focus on targeted attacks reflects cybercriminals’ preference for larger ransoms, though general ransomware persists due to its low-effort, high-volume potential.
According to Kaspersky research, RansomHub was the most active group executing targeted attacks in 2024, followed by Play.
Each group’s share of victims according to its data leak site (DLS) as a percentage of all reported victims of all groups during the period under review (download)
AI tools used in ransomware development (FunkSec)
FunkSec emerged as a ransomware group in late 2024 and quickly gained notoriety, claiming multiple victims in December alone and outpacing established groups like Cl0p and RansomHub. Operating on a Ransomware-as-a-Service (RaaS) model, FunkSec employs a double extortion tactic that combines data encryption with exfiltration. The group targets sectors such as government, technology, finance and education in countries including India, Spain and Mongolia.
FunkSec is notable for its heavy reliance on AI-assisted tools, particularly in malware development. Its ransomware features AI-generated code with comments that are perfect from a language perspective, suggesting the use of large language models (LLMs) to streamline development and evade detection. Unlike typical ransomware groups that demand millions, FunkSec’s ransoms are unusually low, adopting a high-volume, low-cost approach.
Bring Your Own Vulnerable Driver attacks continue
Bring Your Own Vulnerable Driver (BYOVD) is an increasingly prevalent technique used in ransomware attacks to bypass security defenses and gain kernel-level access on Windows systems.
With BYOVD, attackers deploy a legitimate but vulnerable driver – often digitally signed by a trusted vendor or Microsoft – on a target system. These drivers, which operate at the kernel level (ring 0) with high privileges, contain exploitable flaws that allow attackers to disable security tools, escalate privileges or execute malicious code undetected. By leveraging signed drivers, attackers can evade Windows’ default security checks.
Although BYOVD is an advanced technique, there is a range of open-source tools like EDRSandblast and Backstab that lower the technical barriers and simplify such attacks. According to the Living Off The Land Drivers (LOLDrivers) project, hundreds of exploitable drivers are known, highlighting the scale of the problem. Attackers continue to find new vulnerable drivers, and tools like KDMapper allow mapping of unsigned drivers into memory via BYOVD, complicating defenses.
Regional ransomware trends and numbers
Share of users whose computers were attacked by crypto-ransomware, by region. Data from Kaspersky Security Network (download)
In the Middle East and Asia-Pacific regions, ransomware affected a higher share of users due to rapid digital transformation, expanding attack surfaces and varying levels of cybersecurity maturity. Enterprises in APAC were heavily targeted, driven by attacks on infrastructure and operational technology, especially in countries with growing economies and new data privacy laws.
Ransomware is less prevalent in Africa due to lower levels of digitization and economic constraints, which reduce the number of high-value targets. However, as countries like South Africa and Nigeria expand their digital economies, ransomware attacks are on the rise, particularly in the manufacturing, financial and government sectors. Limited cybersecurity awareness and resources leave many organizations vulnerable, though the smaller attack surface means the region remains behind global hotspots.
Latin America also experiences ransomware attacks, particularly in countries like Brazil, Argentina, Chile and Mexico. Manufacturing, agriculture, and retail, as well as critical sectors such as government and energy are targeted, but economic constraints and smaller ransoms deter some attackers. The region’s growing digital adoption is increasing exposure. For example, NightSpire ransomware compromised Chilean company EmoTrans, a logistics company serving key industries in Chile such as mining, agriculture and international trade. The group first appeared in March 2025, and attacked government institutions, manufacturers and other companies in various parts of the world. Like many other groups, NightSpire uses the double extortion strategy and has its own data leak site (DLS).
The Commonwealth of Independent States (CIS) sees a smaller share of users encountering ransomware attacks. However, hacktivist groups like Head Mare, Twelve and others active in the region often use ransomware such as LockBit 3.0 to inflict damage on target organizations. Manufacturing, government, and retail are the most targeted sectors, with varying levels of cybersecurity maturity across the region affecting security.
Europe is confronted with ransomware, but benefits from robust cybersecurity frameworks and regulations that deter some attackers. Sectors such as manufacturing, agriculture, and education are targeted, but mature incident response and awareness limit the scale of attacks. The region’s diversified economies and strong defenses make it less of a focal point for ransomware groups than regions with rapid, less secure digital growth.
For example, RansomHub claimed responsibility for a 2024 attack on Kawasaki’s European offices, disrupting operations across multiple countries. The breach compromised customer and operational data, affecting supply chains for Kawasaki’s motorcycle and industrial products in Europe. The regional impact was significant in countries such as Germany and the Netherlands, where Kawasaki has a strong market presence, highlighting vulnerabilities in Europe’s manufacturing sector.
Change in the share of users whose computers were attacked by crypto-ransomware, by region, 2024 compared to 2023. Data from Kaspersky Security Network (download)
Emerging threats and future outlook
Looking ahead to 2025, ransomware is expected to evolve by exploiting unconventional vulnerabilities, as demonstrated by the Akira gang’s use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks. Attackers are likely to increasingly target overlooked entry points like IoT devices, smart appliances or misconfigured hardware in the workplace, capitalizing on the expanding attack surface created by interconnected systems. As organizations strengthen traditional defenses, cybercriminals will refine their tactics, focusing on stealthy reconnaissance and lateral movement within networks to deploy ransomware with greater precision, making it harder for defenders to detect and respond in time.
Ransomware groups are also likely to escalate their extortion strategies, moving beyond double extortion to more aggressive approaches such as threatening to leak sensitive data to regulators, competitors or the public. The Ransomware-as-a-Service model will continue to thrive, allowing less-skilled actors to launch sophisticated attacks by purchasing access to pre-built tools and exploit kits. Geopolitical tensions may further drive hacktivism and state-sponsored ransomware campaigns targeting critical assets, such as energy grids or healthcare systems, as part of hybrid warfare. Smaller organizations with limited cybersecurity budgets will face heightened risks as attackers exploit their weaker defenses. To adapt, businesses must adopt zero-trust security models, secure IoT ecosystems and prioritize employee training to mitigate phishing and social engineering threats.
The proliferation of large language models (LLMs) tailored for cybercrime will further amplify ransomware’s reach and impact. LLMs marketed on the dark web lower the technical barrier to creating malicious code, phishing campaigns and social engineering attacks, allowing even less-skilled actors to craft highly convincing lures or automate ransomware deployment. As more innovative concepts such as RPA (Robotic Process Automation) and LowCode, which provide an intuitive, visual, AI-assisted drag-and-drop interface for rapid software development, are quickly adopted by software developers, we can expect ransomware developers to use them to automate their attacks as well as new code development, making the ransomware threat even more prevalent.
Recommendations
To effectively counter ransomware in 2025, organizations and individuals must adopt a multi-layered defense strategy that addresses the evolving tactics of groups like FunkSec, RansomHub and others that leverage AI, Bring Your Own Vulnerable Driver (BYOVD) and double extortion.
Prioritize proactive prevention through patching and vulnerability management. Many ransomware attacks exploit unpatched systems, so organizations should implement automated patch management tools to ensure timely updates for operating systems, software and drivers. For Windows environments, enabling Microsoft’s Vulnerable Driver Blocklist is critical to thwarting BYOVD attacks. Regularly scan for vulnerabilities and prioritize high-severity flaws, especially in widely used software like Microsoft Exchange or VMware ESXi, which were increasingly targeted by ransomware in 2024.
Strengthen endpoint and network security with advanced detection and segmentation. Deploy robust endpoint detection and response solutions such as Kaspersky NEXT EDR to monitor for suspicious activity like driver loading or process termination. Network segmentation is equally important – limit lateral movement by isolating critical systems and using firewalls to restrict traffic. Implement a zero-trust architecture that requires continuous authentication for access.
Invest in backups, training and incident response planning. Maintain offline or immutable backups that are tested regularly to ensure rapid recovery without paying a ransom. Backups should cover critical data and systems and be stored in air-gapped environments to resist encryption or deletion. User education is essential to combat phishing, which remains one of the top attack vectors. Conduct simulated phishing exercises and train employees to recognize AI-crafted emails used by FunkSec and others for stealth. Kaspersky GERT can help develop and test an incident response plan to minimize potential downtime and costs.
The recommendation to not pay a ransom remains robust, especially given the risk of unavailable keys due to dismantled infrastructure, affiliate chaos or malicious intent, as seen in the 2024 disruptions. By investing in backups, incident response and preventive measures like patching and training, organizations can avoid funding criminals and mitigate the impact. Kaspersky also offers free decryptors for certain ransomware families. If you get hit by ransomware, check to see if there is a decryptor available for the ransomware family used in your case. Note that even if one isn’t available right now, it may be added later.
securelist.com/state-of-ransom…
Nessuna riga di codice! Darcula inonda il mondo con il Phishing rubando 884.000 carte di credito
Nel mondo del cybercrime organizzato, Darcula rappresenta un salto di paradigma. Non stiamo parlando di un semplice kit di phishing o di una botnet mal gestita. Darcula è una piattaforma vera e propria, un servizio venduto “as-a-Service” che ha consentito a centinaia di operatori criminali di orchestrare attacchi su scala globale, con oltre 884.000 carte di credito trafugate, secondo una recente inchiesta coordinata da Mnemonic, società norvegese specializzata in threat intelligence.
Dicembre 2023. Un SMS apparentemente banale raggiunge un dipendente di Mnemonic: una notifica fraudolenta che imita il servizio postale norvegese. Il team di analisti decide di scavare, scoprendo che il link nel messaggio punta a una pagina realistica, geolocalizzata e ottimizzata per l’apertura da mobile. Nulla di nuovo, apparentemente. Dietro quel messaggio però una rete di oltre 20.000 domini, progettata per colpire utenti in più di 100 paesi. Un’infrastruttura solida, resiliente, e soprattutto scalabile.
Il cuore della piattaforma è un toolkit chiamato Magic Cat. Creato presumibilmente da un giovane sviluppatore cinese di 24 anni, originario dell’Henan. Magic Cat permette di generare in modo automatico pagine di phishing estremamente realistiche clonando il frontend di qualsiasi servizio bancario, logistico o istituzionale. Automaticamente le pagine vengono localizzate e adattate ai layout locali di oltre 130 paesi.
Chi usa Darcula non ha bisogno di scrivere codice: seleziona un brand, genera una campagna, lancia un dominio. Il phishing si fa “plug-and-play”.
L’analisi tecnica di Mnemonic ha messo in evidenza alcune contromisure avanzate usate da Darcula per sfuggire al rilevamento:
- Accesso condizionato: i link malevoli rispondono solo se richiesti da dispositivi mobili su rete cellulare, rendendo inefficaci molti sandbox e crawler.
- Crittografia lato client: i dati vengono cifrati direttamente nel browser della vittima, prima della trasmissione al server di comando, ostacolando le attività di intercept.
- Branding dinamico: l’HTML delle pagine si aggiorna automaticamente per seguire modifiche reali nei siti clonati, evitando il rischio di layout “vecchi” che destano sospetti.
Questi elementi dimostrano una progettazione professionale, più vicina a quella di un SaaS legittimo che a un kit venduto nel dark web.
Un PhaaS con dashboard, licenze e supporto
Darcula è una piattaforma commerciale in tutto e per tutto. I suoi operatori acquistano licenze d’uso, ricevono aggiornamenti continui, accedono a dashboard centralizzate per tracciare le performance delle campagne e scaricare i dati esfiltrati. In alcuni casi, esiste persino un sistema di assistenza tecnica via Telegram.
Secondo Mnemonic, sarebbero oltre 600 gli attori criminali attualmente attivi sulla piattaforma. Alcuni si concentrano su singoli paesi; altri gestiscono centinaia di campagne su larga scala. Le vittime si contano a milioni, e includono cittadini italiani, tedeschi, australiani, francesi e americani.
Tra le vittime ci sono utenti di servizi postali, bancari e governativi, inclusi:
- Poste Italiane
- Nexi
- Royal Mail
- La Poste
- Australia Post
L’Italia figura tra i paesi colpiti con campagne localizzate in lingua italiana.
Darcula si distingue da altre piattaforme PhaaS per alcune caratteristiche tecniche chiave:
- Generazione automatica di kit di phishing: grazie all’uso di strumenti headless browser e scraping, gli operatori possono generare pagine clone di qualsiasi sito legittimo, incluso il marchio, il layout e i testi aggiornati.
- Infrastruttura dinamica: i kit sono ospitati su oltre 20.000 domini attivi in rotazione, molti dei quali sfruttano CDN e redirect multipli per evitare blacklist e scansioni automatizzate.
- Supporto per comunicazioni “trusted”: l’uso di iMessage (Apple) e RCS (Android) consente di aggirare i filtri anti-spam tradizionali, facendo apparire i messaggi più legittimi e affidabili.
La suite Darcula non si ferma solo alla generazione delle campagne di phishing ma offre anche un modulo per il riutilizzo della carte di credito rubate alle vittime. Nella suite Darcula esiste la sezione “[em]Platform card generation[/em]” che genera un’immagine valida della carta di credito rubata pronta per essere utilizzata nei digital wallet.
Darcula dimostra quanto sia urgente un approccio strategico alla difesa contro il phishing moderno:
- Intelligence basata su dominio e URL non è più sufficiente: serve analisi comportamentale e rilevamento su endpoint e mobile.
- Simulazioni phishing devono essere realistiche, geolocalizzate, simulate da smartphone reali, non solo da desktop.
- Threat sharing e cooperazione tra CERT, ISP e vendor devono evolvere per intercettare infrastrutture PhaaS nel momento della creazione, non solo a danno avvenuto.
Darcula non è un exploit. Non è un singolo attacco. È un framework commerciale per campagne criminali globali. È la dimostrazione di come il phishing sia passato dalla truffa artigianale all’industria del crimine digitale in franchising.
E mentre il malware viene sempre più spesso contrastato da EDR e XDR, la vera vulnerabilità rimane l’utente. Per questo, awareness e threat hunting devono camminare insieme. Sempre.
Fonti esterne utilizzate
- BleepingComputer – Darcula PhaaS steals 884,000 credit cards via phishing texts
- Mnemonic – Exposing Darcula: A rare look behind the scenes of a global Phishing-as-a-Service operation
- Netcraft – Darcula v3: Phishing kits targeting any brand
- Heise.de – Phishing network around Darcula exposed
L'articolo Nessuna riga di codice! Darcula inonda il mondo con il Phishing rubando 884.000 carte di credito proviene da il blog della sicurezza informatica.
Tracking the Sun? Nah!
If you want solar power, you usually have to make a choice. You can put a solar panel in a fixed location and accept that it will only put out the maximum when the sun is properly positioned. Or, you can make the panels move to track the sun.
While this isn’t difficult, it does add cost and complexity, plus mechanical systems usually need more maintenance. According to [Xavier Derdenback], now that solar panels are cheaper than ever, it is a waste of money to make a tracking array. Instead, you can build a system that looks to the east and the west. The math says it is more cost effective.
The idea is simple. If you have panels facing each direction, then one side will do better than the other side in the morning. The post points out that a tracking setup, of course, will produce more power. That’s not the argument. However, for a given power output, the east-west solution has lower installation costs and uses less land.
Letting the post speak for itself:
East-West arrays are simple. They consist of parallel strings of PV modules that are oriented in opposing directions, one facing East and the other West. The current of the whole array is the summation of these string currents, effectively letting East-West arrays capture sunlight from dawn till dusk, similar to a tracked array.
So what do you think? Are solar trackers old hat? If you want one, they don’t have to be very complex. But still easier to just double your panels.
Microsoft WDS nel mirino: un bug consente di bloccare Windows con attacchi 0click
Un bug recentemente individuato nei Windows Deployment Services (WDS) di Microsoft consente a un attaccante di mandare in blocco i server da remoto, senza bisogno di autenticazione né interazione da parte dell’utente. La falla risiede nel servizio TFTP, che utilizza il protocollo UDP, ed è talmente semplice da sfruttare che anche un cybercriminale poco esperto potrebbe compromettere in pochi minuti l’intera infrastruttura di distribuzione dei sistemi operativi aziendali.
Windows Deployment Services è ampiamente utilizzato nelle reti aziendali, nei data center e negli istituti scolastici per semplificare le distribuzioni dei sistemi operativi, il che rende questa vulnerabilità particolarmente preoccupante per gli amministratori IT.
L’attacco si basa sull’invio di traffico di rete falsificato e non autenticato, rendendolo particolarmente insidioso e difficile da intercettare con le tradizionali soluzioni di sicurezza. La falla, che non richiede alcuna autenticazione o interazione da parte dell’utente (0 clic), consente agli aggressori di esaurire da remoto la memoria di sistema sfruttando una debolezza di progettazione nel modo in cui WDS gestisce le sessioni TFTP basate su UDP sulla porta 69.
“Il problema principale è che EndpointSessionMapEntry non impone alcun limite al numero di sessioni. Di conseguenza, un aggressore può falsificare indirizzi IP e numeri di porta dei client, creando ripetutamente nuove sessioni fino all’esaurimento delle risorse di sistema”, spiega il ricercatore di sicurezza Zhiniang Peng nella sua analisi. La vulnerabilità deriva dal servizio WDS TFTP, che crea un oggetto CTftpSession ogni volta che viene ricevuta una richiesta di connessione.
La funzione wdstftp!CClientContext::OnConnectionRequest gestisce questo processo, come mostrato in questo frammento di codice:
Poiché i server UDP non sono in grado di verificare le origini dei pacchetti, gli aggressori possono falsificare i pacchetti con indirizzi e porte di origine casuali, costringendo il server ad allocare oggetti di sessione eccessivi nella memoria senza limitazioni.
In un ambiente di test che eseguiva Windows Server Insider Preview con 8 GB di RAM, Peng ha dimostrato che inviando continuamente pacchetti UDP falsificati alla porta 69, il consumo di memoria aumentava rapidamente fino a 15 GB in soli 7 minuti, causando l’arresto anomalo dell’intero sistema.
La tecnica di attacco è sorprendentemente semplice da implementare: richiede solo uno scripting di base su una macchina Linux per generare i pacchetti falsificati.
Questa vulnerabilità rappresenta una minaccia significativa per le organizzazioni che si affidano a WDS per la distribuzione di sistemi operativi basati sulla rete, poiché consente agli aggressori di interrompere completamente i servizi di avvio PXE in un’azienda senza richiedere alcuna autenticazione o accesso privilegiato.
L'articolo Microsoft WDS nel mirino: un bug consente di bloccare Windows con attacchi 0click proviene da il blog della sicurezza informatica.
Adorable Robot Steals the Show
An ongoing refrain with modern movies is “Why is all of this CG?”– sometimes, it seems like practical effects are simultaneously a dying art, while at the same time modern technology lets them rise to new hights. [Davis Dewitt] proves that second statement with his RC movie star “robot” for an upcoming feature film.
The video takes us through the design process, including what it’s like to work with studio concept artists. As for the robot, it’s controlled by an Arduino Nano, lots of servos, and a COTS airplane R/C controller, all powered by li-po batteries. This is inside an artfully weathered and painted 3D printed body. Apparently weathering is important to make the character look like a well-loved ‘good guy’. (Shiny is evil, who knew?) Hats off to [Davis] for replicating that weathering for an identical ‘stunt double’.
Check out the video below for all the deets, or you can watch to see if “The Lightening Code” is coming to a theater near you. If you’re into films, this isn’t the first hack [Davis] has made for the silver screen. If you prefer “real” hacks to props, his Soviet-Era Nixie clock would look great on any desk. Thanks to [Davis] for letting us know about this project via the tips line.
youtube.com/embed/HUEqvCXZ5oE?…
DIY Penicillin
We don’t often consider using do-it-yourself projects as a hedge against the apocalypse. But [The Thought Emporium] thinks we should know how to make penicillin just in case. We aren’t so sure, but we do think it is a cool science experiment, and you can learn how to replicate it in the video below.
If you want to skip the history lesson, you need to fast-forward to about the six-minute mark. According to the video, we are surrounded by mold that can create anti-bacterial compounds. However, in this case, he starts with a special strain of mold made to produce lots of antibiotics.
You may not have all the gear he uses, including a bioreactor to generate liters of mold. Even with a lot of mold, the yield of penicillin is relatively low. Since Purina doesn’t make mold chow, you’ll have to create your own food for the mold colony.
All the work he did wound up producing 125 milligrams of drug. Obviously, if you are going to save the post-apocalyptic world, you are going to need to scale that process up.
If you are the sole survivor, maybe your AI companion can help out.
youtube.com/embed/YOrRQtA8BsY?…
Five Oddest Op Amp Applications
You think of op amps as amplifiers because, no kidding, it is right in the name. But just like some people say, “you could do that with a 555,” [Doctor Volt] might say, “you can do that with an op amp.” In a recent video, you can see below, he looks at simulations and breadboards for five applications that aren’t traditional amplifiers.
Of course, you can split hairs. A comparator is sort of an amplifier with some very specific parameters, but it isn’t an amplifier in the classic sense.
In addition to comparators, there’s a flip flop, a few oscillators, and a PWM audio over optical transmitter and receiver. If you want to test your understanding of op amps, you can try to analyze the different circuits to see if you can explain how they work.
Op amps are amazing for analog design since you don’t have to build up high-quality amplifier blocks from discrete devices. Even the worst op amp you can buy is probably better than something you have the patience to design in a few minutes with a FET or a bipolar device. Fair to say that we do enjoy these oddball op amp circuits.
youtube.com/embed/8ONnpxKLZu4?…
A New, Smarter Universal Remote
The remote for [Dillan Stock]’s TV broke, so he built a remote. Not just as a replacement but as something new. For some of us, there was a glorious time in the early 2000s when a smart remote was needed and there were options you could buy off the shelf. Just one handy button next to the screen had a macro programmed that would turn on the receiver, DVD player, and TV, and then configure it with the right inputs. However, the march of technological convenience has continued and nowadays soundbars turn on just in time and the TV auto switches the input. Many devices are (for better or worse) connected to WiFi, allowing all sorts of automation.
[Dillan] was lucky enough that his devices were connected to his home assistant setup. So this remote is an ESP32 running ESPHome. These automations could be triggered by your phone or via voice assistant. What is more interesting is watching [Dillan] go through the design process. Deciding what buttons there should be, where they should be placed, and how the case would snap together takes real effort. The design uses all through-hole components except for the ESP32 which is a module.
This isn’t the first thing [Dillan] has made with an ESP32, as he previously revamped a non-standard smart lamp with the versatile dev board. The 3d printable files for the remote are free available. Video after the break.
youtube.com/embed/Pe_ozZkrRAw?…
Building a DIY Chicken Incubator
If you want to keep eggs warm to hatch, you’ll need an incubator. You could buy one off the shelf, but they’re not so complex — just a nicely-controlled warm box you could easily whip up yourself. As it turns out, that’s precisely what [RCLifeOn] did.
The incubator is built out of wooden panels screwed together to make a simple box. The frame of the front door is also wood, but it features 3D printed hinges and handles, because that’s the easiest way to make hardware when you’re a printing wizard like [RCLifeOn].
The box is fitted with controls for humidity and temperature to ensure the best possible conditions for hatching chicken eggs inside. As you might have guessed, a heated bed from a 3D printer was used to control the temperature inside. As for humidity, a sensor tracks the conditions in the box, and triggers an ultrasonic mister to increase the level as necessary. There’s also a little motion introduced via a moving platform run by a motor and some step-down gearing, which apparently aids in the hatching process.
[RCLifeOn] calls it “a machine that creates life,” and that honestly sounds about fair. We’ve seen similar projects along these lines before, too.
youtube.com/embed/jfRLMU6guQQ?…
[Thanks to Chris Muncy for the tip!]
Supercon 2024: A Hacker’s Guide to Analog Design in a Digital World
We often think of analog computing as a relic of the past, room-sized monstrosities filled with vacuum tubes doing their best to calculate Monte Carlo simulations or orbital velocities. Analog isn’t as dead as it might seem though, and analog mix signal design engineer [Nanik Adnani] gave us a crash course on analog circuits at Supercon 2024.
youtube.com/embed/8wajxk7bURQ?…
For those of us less familiar with analog circuits, [Adnani] helpfully offered a definition of analog circuit design as “the design of electronics that create or manipulate continuously variable signals.” It turns out, that even our nice, clean digital signals are actually more analog by the time they interact with the real world. This comes down to various factors like substrate losses, conductors, impedance, and even capacitance. Given the difference in scale between a logic gate and the actual pins the signal comes out of from an integrated circuit, it becomes clear that the amount of current the pin can handle versus the logic gate inside the chip is quite different. In order to bridge the gap, chips use a physical interface, or PHY, which happens to be an analog interface which allows the logic on the chip to communicate off the chip.
[Adnani] explained how every digital protocol in common usage requires some degree of analog circuits including LoRa, USB, CAN, etc. Most chips handling these protocols have a separate analog team designing the analog circuit which requires slightly different metal layer design, so while determining the exact function of an analog circuit can be difficult to determine from an X-ray of the chip, finding where they are compared to the digital components is quite simple.
Some other examples from the talk are this PHY for storing data on a cassette by [Zack Nelson], a guitar pedal [Adnani] designed himself for tape out, and analog bird circuits by [Kelly Heaton]. Analog still has a well-known place in music for various components as well.
The last piece of course, is how do you learn analog circuits when everyone around you lives in the digital realm? [Adnani] recommends starting by hitting the books as internet posts can often be a game of telephone, and getting the values wrong on capacitors or the like is a lot more problematic in an analog circuit. Some of his suggestions are as follows (~13 min into the video):
- Design of Analog CMOS Circuits – start here
- Sedra and Smith – if you like math
- The Art of Electronics – board level design
- CMOS Circuit Design, Layout, and Simulation – trying to tapeout a chip
- Analog Integrated Circuit Design – advanced concepts
[Adnani] says, “I had one professor tell me that all you really need is the first four or five chapters of Design of Analog CMOS Integrated Circuits by Behzad Rezavi and then you can start building things.” If videos work better for you better, then [Adnani] recommends checking out [Moritz Klein], [Carsten Wulff], and [Ali Hajimiri] who all have robust offerings on the subject.
At the end of the day, you won’t really learn it until you try to build something, so get a box of components and start tinkering. Simulation can also be beneficial, so [Adnani] recommends trying out your circuits in LTspice for discrete simulations and Ngspice if you want to tape out. While taping out a design for a few hundred bucks seems pricey, it’s a lot cheaper than a university course in many regions of the world. [Adnani] ends with an exhortation that if a humble undergraduate can do analog work, then any hacker can too, so maybe give it a whirl on your next project!
+358% di attacchi DDoS: l’inferno digitale si è scatenato nel 2024
Cloudflare afferma di aver prevenuto un numero record di attacchi DDoS da record nel 2024. Il numero di incidenti è aumentato del 358% rispetto all’anno precedente e del 198% rispetto al trimestre precedente.
Nel suo report del primo trimestre del 2025, l’azienda ha dichiarato di aver neutralizzato un totale di 21,3 milioni di attacchi DDoS nel 2024. Allo stesso tempo, gli esperti avvertono che il 2025 si preannuncia ancora più difficile: solo nel primo trimestre, Cloudflare ha già risposto a 20,5 milioni di attacchi DDoS.
Tra gli obiettivi di questi attacchi c’era anche la stessa Cloudflare, la cui infrastruttura è stata sottoposta a 6,6 milioni di attacchi durante una campagna multi-vettore durata 18 giorni.
“Dei 20,5 milioni di attacchi DDoS, 16,8 milioni erano attacchi a livello di rete e di questi, 6,6 milioni erano diretti direttamente all’infrastruttura di rete di Cloudflare“, afferma il rapporto. Questi attacchi facevano parte di una campagna DDoS multi-vettore durata 18 giorni che includeva SYN flood, attacchi DDoS generati da Mirai, attacchi di amplificazione SSDP e altro ancora.
Il principale fattore che ha determinato l’aumento degli incidenti DDoS sono stati gli attacchi a livello di rete, che hanno registrato un forte incremento negli ultimi mesi, con un incremento del 509% rispetto all’anno precedente.
Continua senza sosta anche il trend degli attacchi ipervolume: l’azienda ha registrato oltre 700 attacchi con una capacità superiore a 1 Tbps (terabit al secondo) e 1 miliardo di pacchetti al secondo. Pertanto, nel primo trimestre del 2025, il numero di tali attacchi ipervolume era in media di otto al giorno e, rispetto al trimestre precedente, il loro numero è raddoppiato.
Uno degli attacchi più potenti segnalati nel rapporto di Cloudflare si è verificato nel primo trimestre del 2025 e ha preso di mira un provider di hosting statunitense non identificato che ospita i server di gioco per Counter-Strike GO, Team Fortress 2 e Half-Life 2: Deathmatch.
L’attacco ha preso di mira la porta 27015, comunemente utilizzata nei giochi e che si consiglia di lasciare aperta sia per UDP che per TCP. Ciò significa che l’attacco era chiaramente mirato a interrompere il funzionamento dei servizi di gioco. L’attacco è stato un attacco ipervolume, che ha raggiunto 1,5 miliardi di pacchetti al secondo, sebbene Cloudflare affermi di averlo mitigato.
Vale anche la pena notare che il CEO dell’azienda, Matthew Prince, ha recentemente riferito su X che Cloudflare è riuscita a prevenire l’attacco più grande fino ad oggi, un attacco da 5,8 Tbps durato circa 45 secondi. Prince scrive che lo stesso giorno è stato effettuato un altro attacco DDoS, ancora più grande, e promette di condividere presto i dettagli.
Ricordiamo che il record precedente era stato stabilito all’inizio del 2025, quando Cloudflare aveva segnalato un attacco DDoS con una potenza fino a 5,6 Tbps. L’attacco è stato effettuato utilizzando la botnet Mirai, che comprendeva 13.000 dispositivi hackerati.
L'articolo +358% di attacchi DDoS: l’inferno digitale si è scatenato nel 2024 proviene da il blog della sicurezza informatica.
AI Brings Play-by-Play Commentary to Pong
While most of us won’t ever play Wimbledon, we can play Pong. But it isn’t the same without the thrill of the sportscaster’s commentary during the game. Thanks to [Parth Parikh] and an LLM, you can now watch Pong matches with commentary during the game. You can see the very cool result in the video below — the game itself starts around the 2:50 mark. Sadly, you don’t get to play. It seems like it wouldn’t be that hard to wire yourself in with a little programming.
The game features multiple AI players and two announcers. There are 15 years of tournaments, including four majors, for a total of 60 events. In the 16th year, the two top players face off in the World Championship Final.
There are several interesting techniques here. For one, each action is logged as an event that generates metrics and is prioritized. If an important game event occurs, commentary pauses to announce that event and then picks back up where it left off.
We really want to see a one- or two-player human version of this. Please tell us if you take on that challenge. Even if you don’t write it, maybe the AI can write it for you.
youtube.com/embed/i21wN6CDsE0?…
Optical Contact Bonding: Where the Macro Meets the Molecular
If you take two objects with fairly smooth surfaces, and put these together, you would not expect them to stick together. At least not without a liberal amount of adhesive, water or some other substance to facilitate a temporary or more permanent bond. This assumption gets tossed out of the window when it comes to optical contact bonding, which is a process whereby two surfaces are joined together without glue.
The fascinating aspect of this process is that it uses the intermolecular forces in each surface, which normally don’t play a major role, due to the relatively rough surfaces. Before intermolecular forces like Van der Waals forces and hydrogen bonds become relevant, the two surfaces should not have imperfections or contaminants on the order of more than a few nanometers. Assuming that this is the case, both surfaces will bond together in a way that is permanent enough that breaking it is likely to cause damage.
Although more labor-intensive than using adhesives, the advantages are massive when considering that it creates an effectively uninterrupted optical interface. This makes it a perfect choice for especially high-precision optics, but with absolutely zero room for error.
Intermolecular Forces
As creatures of the macro world, we are largely only aware of the macro effects of the various forces at play around us. We mostly understand gravity, and how the friction of our hand against a glass prevents it from sliding out of our hand before shattering into many pieces on the floor. Yet add some water on the skin of our hands, and suddenly there’s not enough friction, leading to unfortunate glass slippage, or a lid on a jar of pickles that stubbornly refuses to open because we cannot generate enough friction until we manage to dry our hands sufficiently.
Many of these macro-level interactions are the result of molecular-level interactions, which range from the glass staying in one piece instead of drifting off as a cloud of atoms, to the system property that we refer to as ‘friction‘, which itself is also subdivided into static stiction and dynamic friction. The system of friction can be considered to be analogous to contact binding when we consider two plates with one placed on top of the other. If we proceed to change the angle of these stacked plates, at some point the top plate will slide off the bottom plate. This is the point where the binding forces can no longer compensate for the gravitational pull, with material type and surface finish affecting the final angle.
An interesting example of how much surface smoothness matters can be found in gauge blocks. These are precision ground and lapped blocks of metal or ceramic which match a specific thickness. Used for mainly calibration purposes, they posses the fascinating property due to their smooth surfaces that you can make multiple of them adhere together in a near-permanent manner in what is called wringing. This way you can combine multiple lengths to create a single gauge block with sub-millimeter accuracy.
Enabling all this are intermolecular forces, in particular the Van der Waals forces, including dipole-dipole electrostatic interactions. These do not rely on chemical or similar properties as they depend only on aspects like the mutual repulsion between the electron clouds of the atoms that make up the materials involved. Although these forces are very weak and drop off rapidly with distance, they are generally independent of aspects like temperature.
Hydrogen bonds can also occur if present, with each type of force having its own set of characteristics in terms of strength and effective distance.
Make It Smooth
One does not simply polish a surface to a nanometer-perfect sheen, though as computer cooling enthusiasts and kin are aware, you can get pretty far with a smooth surface and various grits of sandpaper all the way up to ridiculously high levels. Giving enough effort and time, you can match the surface finish of something like gauge blocks and shave off another degree or two on that CPU at load.
Achieving even smoother surfaces is essentially taking this to the extreme, though it can be done without 40,000 grit sandpaper as well. The easiest way is probably found in glass and optics production, the latter of which has benefited immensely from the semiconductor industry. A good demonstration of this can be found in a 2011 paper (full PDF) by Fraunhofer researchers G. Kalkowski et al. as published in Optical Manufacturing and Testing.
They describe the use of optical contact bonding in the context of glass-glass for optical and precision engineering, specifically low-expansion fused silica (SiO2) and ultra-low expansion materials. There is significant overlap between semiconductor wafers and the wafers used here, with the same nanometer level precision, <1 nm RMS surface roughness, a given. Before joining, the surfaces are extensively cleaned of any contaminants in a vacuum environment.
Worse Than Superglue
Once the surfaces are prepared, there comes the tricky part of making both sides join together. Unlike with the gauge blocks, these super smooth surfaces will not come apart again without a fight, and there’s no opportunity to shimmy them around to get that perfect fit like when using adhesive. With the demonstrated method by Kalkowski et al., the wafers were joined followed by heating to 250 ℃ to create permanent Si-O-Si bonds between the two surfaces. In addition bonding pressure was applied for two hours at 2 MPa using either N2 or O2 gas.
This also shows another aspect of optical contact binding: although it’s not technically permanent, the bond is still just using intermolecular forces, and, as shown in this study, can be pried apart with a razorblade and some effort. By heating and applying pressure, the two surfaces can be annealed, forming molecular bonds and effectively turning the two parts into one.
Of course, there are many more considerations, such as the low-expansion materials used in the referenced study. If both sides use too dissimilar materials, the bond will be significantly more tenuous than if the materials with the same expansion properties are used. It’s also possible to use chemically activated direct bonding with a chemical activation process, all of which relies on the used materials.
In summary, optical contact bonding is a very useful technique, though you may want to have a well-equipped home lab if you want to give it a spin yourself.
Improving Flying Drones By Mimicking Flying Squirrels
With the ability to independently adjust the thrust of each of their four motors, quadcopters are exceptionally agile compared to more traditional aircraft. But in an effort to create an even more maneuverable drone platform, a group of South Korean researchers have studied adding flying squirrel tech to quadcopters. Combined with machine learning, this is said to significantly increase the prototype’s agility in an obstacle course.
Flying squirrels (tribe Pteromyini)) have large skin flaps (patagium) between their wrists and ankles which they use to control their flight when they glide from tree to tree, along with their fluffy squirrel tail. With flights covering up to 90 meters, they also manage to use said tail and patagium to air brake, which prevents them from smacking with bone jarring velocities into a tree trunk.
By taking these principles and adding a similar mechanism to a quadcopter for extending a patagium-like membrane between its rotors, the researchers could develop a new controller (thrust-wing coordination control, TWCC), which manages the extending of the membranes in coordination with thrust from the brushless motors. Rather than relying on trial-and-error to develop the controller algorithms, the researchers trained a recurrent neural network (RNN) which was pre-trained prior to first flights using simulation data followed by supervised learning to refine the model.
During experiments with obstacle avoidance on a test-track, the RNN-based controller worked quite well compared to a regular quadcopter. A disadvantage is of course that the range of these flying squirrel drones is less due to the extra weight and drag, but if one were to make flying drones that will perch on surfaces between dizzying feats of agility in the air, this type of drone tech might just be the ticket.
youtube.com/embed/tckIF3KCJig?…
Collegarsi a Wi-Fi pubblici? Anche con HTTPS non sei al sicuro! Scopriamolo con questo tutorial
Molte persone credono che accedere esclusivamente a siti HTTPS sia sufficiente per garantire la sicurezza durante la navigazione su reti Wi-Fi non protette. Spoiler: anche questa convinzione è un falso senso di sicurezza.
HTTPS: un passo avanti, ma non infallibile
HTTPS (HyperText Transfer Protocol Secure) utilizza protocolli di crittografia come TLS per proteggere la comunicazione tra il browser e il sito web, garantendo riservatezza e integrità dei dati.
Sebbene HTTPS offra quindi una protezione significativa rispetto a HTTP.
In questo articolo della nostra Rubrica WiFi, mostreremo come questa protezione da sola non è sufficiente soprattutto in ambienti non sicuri come le reti Wi-Fi aperte.
Vulnerabilità persistenti su reti Wi-Fi aperte
Nonostante la crittografia garantita dal protocollo HTTPS, la rete aperta e l’accesso facile alle informazioni da parte degli attaccanti ci espone ad:
- Attacchi Man-in-the-Middle (MitM): Un attaccante può intercettare il traffico tra l’utente e il sito web, potenzialmente reindirizzando l’utente a un sito falso che imita quello legittimo.
- Spoofing DNS e ARP poisoning: Tecniche che permettono a un attaccante di manipolare le risposte DNS o la cache ARP, reindirizzando l’utente verso siti malevoli anche se digitati correttamente.
- Intercettazione dei metadati: Anche se il contenuto delle comunicazioni è crittografato, informazioni come i nomi di dominio visitati (DNS queries) possono essere visibili e utilizzate per profilare l’utente.
Come scritto in diversi articoli gli hacker possono sfruttare diverse tecniche per aggirare o compromettere la protezione HTTPS, tra cui:
- Reindirizzamenti Malevoli
Con tecniche come lo spoofing DNS, l’attaccante modifica le risposte DNS per reindirizzare l’utente verso un sito web falso, che può avere un certificato HTTPS valido o simulato, facendo credere all’utente di essere al sicuro. - Siti HTTPS Falsi (Certificati Contraffatti)
Un attaccante può creare un sito falso con un certificato SSL/TLS valido utilizzando servizi di certificazione automatizzati o persino ottenendo certificati legittimi per domini che assomigliano a quelli reali (es. typo-squatting). L’utente, vedendo il lucchetto verde o l’indicazione HTTPS, può essere indotto a fidarsi del sito contraffatto. - Downgrade dell’HTTPS
Tramite un attacco chiamato SSL stripping, un hacker può forzare una connessione a un sito HTTPS a utilizzare HTTP, compromettendo la crittografia. Questo attacco sfrutta la possibilità che il sito supporti entrambe le versioni del protocollo. - Attacchi ai Certificati di Root
Se un attaccante riesce a compromettere i certificati di root installati sul dispositivo della vittima (ad esempio tramite malware), può creare certificati personalizzati per qualsiasi sito web, rendendo il traffico completamente vulnerabile anche con HTTPS.
La buona notizia
Partiamo col dire che dai nostri test e analisi di alboratioro: uno degli attacchi più insidiosi degli ultimi anni, l’SSL Stripping, è risultato essere molto meno efficace.
Introdotti nel 2009 da Moxie Marlinspike, questo attacco aveva lo scopo di trasformare una connessione sicura HTTPS in una semplice HTTP, privando l’utente della protezione crittografica senza che se ne accorgesse.
In pratica, l’attaccante si inseriva tra il browser e il sito web – un classico attacco man-in-the-middle – intercettando le comunicazioni e modificandole al volo, con la possibilità di leggere e manipolare tutto ciò che passava.
L’introduzione di HSTS
Per contrastare questo tipo di attacco, nel 2012 è stato introdotto il meccanismo HTTP Strict Transport Security (HSTS). Attraverso l’intestazione Strict-Transport-Security, un server può indicare al browser di accedere al sito esclusivamente tramite connessioni HTTPS per un periodo di tempo specificato. Questo impedisce al browser di effettuare richieste HTTP non sicure verso il sito, riducendo significativamente la superficie di attacco per l’SSL Stripping.
Immaginiamo HSTS come un varco elettronico: una barriera digitale che si apre solo se arrivi con i requisiti giusti — in questo caso, una connessione HTTPS. Se tenti di passare con un collegamento HTTP non cifrato, la sbarra rimane abbassata. Niente accesso.
Il sito web comunica al browser, attraverso una semplice intestazione HTTP, una regola precisa:
“Per entrare qui, devi usare solo HTTPS, sempre. Qualsiasi altra via è bloccata.”
Una volta ricevuto quest’ordine, il browser lo memorizza e da quel momento in poi rifiuta qualsiasi connessione non protetta a quel sito. Nemmeno l’utente può forzarlo: il varco resta chiuso a chi non rispetta i requisiti di sicurezza.
Limitazioni e soluzioni
Una limitazione di HSTS è che la sua efficacia dipende dal fatto che l’utente abbia già visitato il sito almeno una volta tramite HTTPS. Per mitigare questo problema, i principali browser mantengono una lista interna di siti “autorizzati” che devono essere contattati solo e sempre via HTTPS già dalla prima visita. È come se quei siti avessero il badge elettronico pre-configurato: l’accesso sicuro è garantito fin da subito.
Tuttavia, questa lista non può includere tutti i siti web esistenti, lasciando una finestra di vulnerabilità per siti non inclusi.
Ecco perché, per i siti che non sono inclusi in quella lista e non configurano HSTS correttamente, la barriera può restare alzata. E in quel caso, un attaccante potrebbe ancora tentare un downgrade, forzando una connessione HTTP con tecniche come SSL Stripping o DNS Spoofing.
Configurazioni errate e rischi residui
Oltre a quanto già detto, le configurazioni errate possono esporre i siti a ulteriori rischi. Ad esempio, se un sito non implementa correttamente HSTS o non è incluso nella lista pre-caricata dei browser, un attaccante potrebbe ancora tentare un attacco di SSL Stripping. È quindi fondamentale che i siti web configurino correttamente HSTS e che gli utenti siano consapevoli dei rischi associati a connessioni non sicure.
HSTS è uno strumento potente, ma non magico. Funziona molto bene ma se si sodisfano i seguenti criteri:
- Il sito lo ha configurato in modo corretto
- Il dominio è presente nella lista pre-caricata del browser
- L’utente non viene intercettato prima della prima connessione sicura
L’adozione di HTTPS e HSTS ha reso gli attacchi di SSL Stripping significativamente meno efficaci. Tuttavia, la sicurezza completa dipende da una corretta configurazione dei server e dalla consapevolezza degli utenti. È essenziale che i siti web implementino HSTS in modo appropriato e che gli utenti prestino attenzione alla sicurezza delle loro connessioni.
Attenzione
La sicurezza completa non esiste, la consapevolezza e conoscenza di questi limiti ci permette di essere meno esposti. Soprattutto su reti aperte come quelle pubbliche o non protette.Gli attaccanti ci hanno mostrato più di una volta di essere molto ingegnosi e di riuscire a trovare sempre un modo di ottenere quello che vogliono. In questi due laboratori vogliamo dare evidenza di due possibili scenari in cui ci potremmo trovare collegandosi ad una rete aperta:
- Un portale fasullo: laboratorio per superare le cifrature l’HTTPS
Laboratorio realizzato grazie a Marco Mazzola - File in chiaro: laboratorio sul degrado della cifratura nei trasferimenti FTP
Laboratorio realizzato grazie a Manuel Roccon
⚠️ Attenzione le informazioni riportate in calce sono a scopo educativo! Non utilizzarle per attività illegali o senza autorizzazione.⚠️
NB: Tutte le simulazione sono svolte in un ambiente di laboratorio, senza coinvolgere reti o utenti reali.
ARP spoofing
Partiamo da un piccolo accenno sull’arp spoofing che useremo in entrambi i laboratori e che viene usata di frequente nelle reti non sicure.
L’ARP spoofing (o ARP poisoning) è una tecnica di attacco informatico che sfrutta le vulnerabilità del protocollo ARP (Address Resolution Protocol) per associare l’indirizzo MAC dell’attaccante all’indirizzo IP di un altro dispositivo sulla stessa rete locale.
In parole semplici, l’attaccante invia messaggi ARP falsificati sulla rete, convincendo gli altri dispositivi (ad esempio, un computer vittima e il router) che l’indirizzo MAC dell’attaccante corrisponde all’indirizzo IP della vittima (o del router).
In breve possiamo vedere nella tabella di arp dispositivo della vittima, prima dell’attacco ARP, il MAC address corretto associato all IP gateway.
Nei sistemi Windows “arp -a” permette di vedere l’attuale tabella arp creata da precedenti comunicazioni con gli hosts.
Una volta iniziato attacco di arp spoofing, questo mac associato all’IP del gateway è stato sostituito con quello dell’attaccante.
D’ora in poi tutto il traffico che la vittima cercherà di inviare al gateway (192.168.0.1) per raggiungere internet, arriverà tutto all’attaccante, che poi tramite forwarding invierà al router originale e viceversa.
La vittima è già sotto attacco e non si sta accorgendo del problema.
Alcune Considerazioni
ARP spoofing è uno degli attacchi per poter eseguire del MiTM.
Un’altra tecnica potrebbe essere quella di usare il DHCP spoofing, inducendo i client a usare differenti configurazioni DHCP da quelle previste, incluso un gateway diverso che può essere controllato dall’attaccante per sniffare e re-indirizzare il traffico.
LAB 1 – Un portale fasullo: laboratorio per superare le cifrature l’HTTPS
In questo laboratorio analizziamo passo dopo passo un attacco Man-in-the-Middle (MITM) condotto su una rete Wi-Fi non protetta. L’obiettivo è simulare uno scenario reale in cui un attaccante riesce a intercettare il traffico della vittima e manipolarlo, sfruttando l’urgenza e la disattenzione dell’utente. Tutte le operazioni sono svolte in ambiente di laboratorio, a fini esclusivamente formativi.
Descrizione Scenario
- Connessione del Client alla Rete
- Il dispositivo client si connette a una rete Wi-Fi Free, preparandosi a navigare verso siti web.
- Intercettazione del Traffico tramite ARP Spoofing
- Utilizzando tecniche di ARP spoofing, l’attaccante manipola le tabelle ARP della rete locale, facendo sì che il traffico del client venga indirizzato attraverso il dispositivo dell’attaccante. Questo posiziona l’attaccante tra il client e il gateway, permettendo l’intercettazione trasparente dei dati.
- Reindirizzamento delle Richieste DNS (DNS Hijacking)
- L’attaccante manipola le risposte DNS, indirizzando tutte le richieste del client verso un server controllato. Questo permette di presentare al client contenuti falsificati o dirottare le sue richieste verso destinazioni malevole.
- Presentazione di un Captive Portal Falso
- Il client, tentando di accedere a Internet, viene reindirizzato a un captive portal falso che simula una pagina di accesso. Questo portale può essere utilizzato per indurre l’utente a fornire credenziali o come in questo caso per installare certificati malevoli.
- Installazione di un Certificato Malevolo
- Il captive portal falso può richiedere l’installazione di un certificato SSL/TLS controllato dall’attaccante. Se l’utente accetta, l’attaccante può decrittare il traffico HTTPS del client, accedendo a informazioni sensibili.
- Analisi del Traffico in Chiaro
- Con il certificato installato, l’attaccante può monitorare e analizzare il traffico del client, raccogliendo dati come credenziali di accesso, informazioni personali e altri dati sensibili
Descrizione degli strumenti e fasi Operative
In questo laboratorio sia vittima che attaccante si trovano nello stesso segmento di rete non protetta, dove non sono state implementate tecniche protezione lato rete (parleremo di queste mitigazioni nei prossimo articoli )
La vittima
La nostra vittima è un utente con sistema operativo Window 11 aggiornato alle ultime patch disponibili, che si connette ad una rete WIFI aperta. L’utilizzo di una rete non sicura avviene per diversi motivi come già trattato nell’articolo “Reti WiFi Aperte: Un Terreno Fertile per il Cybercrime”.
Ed è proprio questa esigenza di restare connessi a tutti i costi che diventa un’arma molto potente per gli attaccanti.
L’attaccante
L’attaccante opera da una macchina Kali Linux, sulla stessa rete della vittima, e predispone il sistema per intercettare e manipolare il traffico.
Predisposizione del attacco
Fase 1 – Abilitazione del forwarding
Il primo passo consiste nel abilitare il packet forwarding su Kali, trasformandolo in un nodo che inoltra il traffico tra la vittima e il gateway reale.
sudo sysctl -w net.ipv4.ip_forward=1
Fase 2 – Reindirizzamento del traffico HTTP e HTTPS
Utilizziamo iptables per dirottare tutto il traffico in uscita su porte 80 (HTTP) e 443 (HTTPS) verso la porta locale 8080, dove un proxy sarà in ascolto.
sudo iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080
sudo iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-port 8080
Fase 3 – DNS Hijacking con dnsmasq
Per intercettare le richieste di nomi a dominio e forzarle verso l’IP dell’attaccante, configuriamo un DNS Hijacking con dnsmasq.
Modificando o creando il file di configurazione:
sudo nano /etc/dnsmasq.conf
Con il seguente contenuto:
interface=wlan0
no-dhcp-interface=wlan0
bind-interfaces
bogus-priv
log-queries
log-facility=/var/log/dnsmasq.log
address=/#/192.168.1.251
In fine avviamo dnsmasq con:
sudo dnsmasq -C /etc/dnsmasq.conf
Da questo momento tutte le richieste DNS ricevute dall’interfaccia wlan0 restituiranno sempre l’indirizzo IP dell’attaccante (192.168.1.251), simulando un captive portal o un MITM proxy.
Fase 4 – ARP Spoofing
Per intercettare il traffico, l’attaccante esegue un attacco ARP spoofing, facendo credere alla vittima che il suo MAC sia quello del gateway.
sudo arpspoof -i wlan0 -t 192.168.1.113 192.168.1.1
Come visto sopra in questo modo, tutto il traffico destinato al gateway sarà deviato attraverso la macchina dell’attaccante, che agisce da intermediario trasparente.
Fase 5 – Attivazione di mitmproxy
Ora abilitiamo mitmproxy, che agirà da proxy trasparente per intercettare e ispezionare il traffico HTTP e HTTPS.
sudo mitmproxy –mode transparent –showhost –listen-port 8080
NB:Per questo laboratorio abbiamo selezionato “mitmproxy” in quanto dispone di un certificato scaricabile pubblicamente che non deve essere trustato, e quindi semplifica l’ installazione nel client della vittima (mitm.it/).
Azione
Quando la vittima si collega alla rete WiFi aperta e non protetta, tutto il suo traffico finirà nella macchina Kali Linux dell’attaccante. Già questo abbiamo visto nei vari articoli essere un problema di per sé, ma se la vittima non effettuasse ulteriori azioni almeno il traffico HTTPS sarebbe al sicuro.
Presentazione del Captive Portal e Installazione Certificato
Una volta che la vittima apre il browser e prova a navigare, viene automaticamente reindirizzata a un falso captive portal ospitato dall’attaccante.
- Il portale simula una schermata di accesso alla rete dove viene proposto il download del certificato per poter navigare in modo “sicuro”
- La vittima a causa della sua esigenza di essere connesso accetta e installa il certificato senza prestare troppa attenzione a quello che sta facendo.
- Effettua quindi il download del certificato e in pochi semplici passaggi lo installa :
- Il portale di login registra questa azione e mette il dispositivo della vittima in white list. In caso di problemi lato script l’attaccante potrebbe vedere per una seconda volta la pagina del portale dove questa volta deve solo cliccare “Ho installato il certificato- Continua”
- La vittima da questo momento può navigare. Ignaro che il suo traffico arriverà all’attaccante che potrà da ora decifrare tutto il traffico cifrato HTTPS.
Analisi del traffico
Come mostrato in figura con il certificato accettato e il traffico in transito attraverso mitmproxy, l’attaccante potrà:
- intercettare credenziali di accesso,
- visualizzare richieste a servizi sensibili (banche, email, social),
- analizzare contenuti originariamente cifrati.
Considerazioni
In conclusione, questo laboratorio rappresenta un’opportunità preziosa per comprendere le tecniche storiche di intercettazione in rete, esplorandone il funzionamento in un ambiente controllato e sicuro. Analizzare questi scenari non significa solo conoscere “come avvenivano gli attacchi”, ma soprattutto capire come prevenirli e rafforzare la sicurezza delle nostre infrastrutture digitali. Solo attraverso lo studio pratico e la consapevolezza possiamo costruire sistemi più resilienti, capaci di resistere alle minacce del passato e del futuro.
LAB 2 – File in chiaro: laboratorio sul degrado della cifratura nei trasferimenti FTP
Come HTTP, il protocollo FTP (File Transfer Protocol) è ormai obsoleto e non sicuro; ma continua a essere utilizzato in molte organizzazioni per il trasferimento di file, inclusi dati sensibili.
Come HTTPS, invece il protocollo FTPS permette di instaurare una connessione cifrata e sicura tra Client e Server; questa estensione del protocollo FTP aggiunge la cifratura TLS o SSL (da non confondere con SFTP), in modo che nessuno a parte server e client possano accedere al contenuto dei dati.
L’FTP (File Transfer Protocol) è un protocollo standard di rete usato per trasferire file tra un client e un server su una rete TCP/IP, come Internet. In pratica, permette di caricare (upload) e scaricare (download) file da un computer remoto.
Questo è ancora molto usato per lo scambio di dati,
per cui è chiaro che anche questi dati che viaggiano nella rete o verso internet dovrebbero essere protetti da cifratura.
In questo tipo di attacco forzeremo la vittima a usare un protocollo debole, FTP downgrade.
Questo attacco può essere sferrato quando la vittima utilizza un client FTP configurato per decidere in autonomia il protocollo più sicuro tra i disponibili.
In questo esempio abbiamo usato FILEZILLA, in cui la configurazione di default prevede che il programma scelga lui in automatico la connessione sicura se presente.
In questo caso connettendosi normalmente il client sarà connesso tramite TLS in automatico, perchè questo capirà che FTP server ha configurato il protocollo TLS.
Vediamo invece che utilizzando un attacco MiTM (Man In The Middle), in cui un aggressore si posizionerà in mezzo alla comunicazione, permetterà di forzare la vittima ad usare il protocollo FTP in chiaro, così da recuperare le credenziali di accesso.
PREPARAZIONE ATTACCO
Prima cosa abilitare il forwarding dei pacchetti, che trasforma l’attaccante in un router IPv4, così come vedremo dopo tutto il traffico della vittima che arriverà verrà girato al vero gateway e vice versa:
echo 1 > /proc/sys/net/ipv4/ip_forward
Installiamo un FTP locale nel dispositivo della vittima. In questo esempio abbiamo installato e avviato pure FTP e configurato in modo che accetti solo connessioni in chiaro (escludendo il TLS).
sudo systemctl start pure-ftpd
Eseguiamo del ARP spoofing (lo spiegheremo meglio qui sotto) tramite il framework MITMf, questo farà in modo che la vittima modifichi il mac address associato all’IP del router sostituendolo con quello della vittima.
MITMf (Man-In-The-Middle Framework) si pone come un potente strumento “tutto in uno” per eseguire attacchi Man-In-The-Middle e manipolare il traffico di rete. La sua forza risiede proprio nell’aver superato le limitazioni di tool precedenti come Ettercap e Mallory, offrendo un’architettura modulare e altamente estensibile.
MITMf rappresenta un’evoluzione significativa nel panorama degli strumenti MITM, offrendo una piattaforma potente, flessibile e aggiornata per l’analisi della sicurezza delle reti e la simulazione di scenari di attacco.
Useremo il parametro -i per indicare interfaccia connessa alla rete pubblica, –spoof e –arp per questo attacco di arp poisoning e infine –target e –gateway, come è intuibile, per IP di vittima e gateway.
sudo ./mitmf.py -i wlan0 –spoof –arp –target 192.168.0.42 –gateway 192.168.0.1
Come spiegato sopra grazie all’ARP spoofing tutto il traffico che la vittima cercherà di inviare al gateway per raggiungere internet e FTP esterno, arriverà tutto all’attaccante, che poi tramite forwarding invierà al router originale e viceversa.
Il tutto senza che la vittima si accorga di nulla.
Ora per poter intercettare il traffico ftp transitante creiamo una regola di prerouting tramite iptables nel dispositivo dell’attaccante, così tutto quello il traffico che la vittima effettuerà verso la porta 21, verrà dirottato al FTP server locale dell’attaccante.
sudo iptables -t nat -A PREROUTING -p tcp –destination-port 21 -j REDIRECT –to-port 21
DOWNGRADE E RECUPERO DELLE CREDENZIALI FTP
Ora se la vittima si collegasse da qui in poi a un server FTP, l’autenticazione verrà fatta sul server dell’attaccante priva di TLS.
In questo caso questa ultima versione di FILEZILLA avvertirebbe di un problema e di un probabile attacco di downgrade, un altro software potrebbe anche non avere questo controllo e procedere senza avvisi.
Questo perché in precedenza ci siamo collegati tramite TLS, se fosse la prima volta non avrebbe però segnalato il problema.
Se la vittima consentirà a questo messaggio senza farsi molte domande e proseguirà con l’autenticazione, MITMF catturerà le credenziali scambiate in chiaro, incluso IP del server FTP.
Il messaggio che usiamo una connessione non sicura lo vedremo anche su filezilla nei log.
Una conseguenza oltre al furto di credenziali, se l’attaccante avesse configurato un server locale FTP che possa accettare qualunque credenziale passata dalla vittima, potrebbe accedere anche il furto dei dati che la vittima potrebbe provare a inviare all’attaccante.
Ovviamente per questo caso manca il prerouting anche della porta 20 e alcune porte passive.
NB: FileZilla segnala il downgrade solo se in precedenza era avvenuta una connessione FTPS, ma non sempre blocca il tentativo se la configurazione è su “connessione automatica”.
Considerazioni
Con questo laboratorio abbiamo dimostrato come, anche in presenza di protocolli sicuri come FTPS, la sicurezza possa essere compromessa se non si adottano configurazioni adeguate e consapevoli. Attraverso un attacco Man-in-the-Middle (MITM) e tecniche di ARP spoofing, è stato possibile forzare un client FTP, configurato per selezionare automaticamente il protocollo più sicuro disponibile, a retrocedere a una connessione non cifrata (FTP), esponendo così le credenziali e i dati trasmessi.
Questo scenario potrebbe presentarsi anche con i protocolli POP, IMAP, SMTP se il client di posta agisse in automatico a configurarsi il protocollo.
Importante quindi prestare attenzione alle configurazioni dei client per utilizzare esclusivamente connessioni sicure.
Mitigazioni
Per ridurre i rischi legati all’utilizzo di reti pubbliche o non affidabili, esistono diverse tecniche di mitigazione che possono essere applicate a livello infrastrutturale. Tra le più efficaci troviamo:
- Network Isolation – Separazione logica dei dispositivi per limitare la visibilità e l’interazione diretta tra client.
- Private VLAN – Isolamento dei client all’interno della stessa VLAN.
- Dynamic ARP Inspection (DAI) – Protezione contro attacchi di tipo ARP spoofing tramite verifica dell’integrità delle risposte ARP.
- DHCP Snooping – Blocco delle risposte DHCP non autorizzate per prevenire attacchi man-in-the-middle.
- Port Security sugli switch – Limitazione e controllo degli indirizzi MAC connessi alle porte fisiche.
- QoS e Traffic Shaping – Gestione della banda e delle priorità per migliorare l’efficienza e ridurre le superfici di attacco legate al congestionamento.
- Segmentazione della rete – suddivisione dell’infrastruttura in zone separate per contenere le minacce e semplificare il controllo (può essere fatto anche su base login).
Nei prossimi articoli approfondiremo ciascuna di queste soluzioni, analizzando scenari reali, configurazioni consigliate e il loro impatto sulla sicurezza complessiva della rete.
Conclusioni Finali
Come RedWave Team vogliamo sensibilizzare sul fatto che affidarsi ciecamente ai protocolli cifrati o alle configurazioni predefinite può generare un pericoloso senso di sicurezza. Abbiamo infatti visto, come connessioni protette possono essere compromesse se gli strumenti non sono configurati correttamente o se l’utente non è pienamente consapevole dei rischi.
La sicurezza delle comunicazioni non si basa soltanto sull’uso di HTTPS o FTPS, ma sull’adozione di un approccio proattivo che includa configurazioni sicure, formazione continua e buone pratiche operative.
Nel prossimo articolo esploreremo l’uso della VPN come ulteriore livello di protezione su reti non affidabili, e nei successivi analizzeremo strategie di mitigazione concrete per ridurre l’esposizione al rischio anche su reti problematiche come una WiFi aperta.
L'articolo Collegarsi a Wi-Fi pubblici? Anche con HTTPS non sei al sicuro! Scopriamolo con questo tutorial proviene da il blog della sicurezza informatica.
Hardware Built For Executing Python (Not Pythons)
Lots of microcontrollers will accept Python these days, with CircuitPython and MicroPython becoming ever more popular in recent years. However, there’s now a new player in town. Enter PyXL, a project to run Python directly in hardware for maximum speed.
What’s the deal with PyXL? “It’s actual Python executed in silicon,” notes the project site. “A custom toolchain compiles a .py file into CPython ByteCode, translates it to a custom assembly, and produces a binary that runs on a pipelined processor built from scratch.” Currently, there isn’t a hard silicon version of PyXL — no surprise given what it costs to make a chip from scratch. For now, it exists as logic running on a Zynq-7000 FPGA on a Arty-Z7-20 devboard. There’s an ARM CPU helping out with setup and memory tasks for now, but the Python code is executed entirely in dedicated hardware.
The headline feature of PyXL is speed. A comparison video demonstrates this with a measurement of GPIO latency. In this test, the PyXL runs at 100 MHz, achieving a round-trip latency of 480 nanoseconds. This is compared to MicroPython running on a PyBoard at 168 MHz, which achieves a much slower 15,000 nanoseconds by comparison. The project site claims PyXL can be 30x faster than MicroPython based on this result, or 50x faster when normalized for the clock speed differences.
Python has never been the most real-time of languages, but efforts like this attempt to push it this way. The aim is that it may finally be possible to write performance-critical code in Python from the outset. We’ve taken a look at Python in the embedded world before, too, albeit in very different contexts.
player.vimeo.com/video/1074893…
Hacker cinesi usano IPv6 per infettare Windows: il pericoloso attacco di TheWizards
Il gruppoAPT TheWizards, legato alla Cina, sfrutta la funzionalità di rete IPv6 per condurre attacchi man-in-the-middle che dirottano gli aggiornamenti software per installare malware su Windows. Secondo gli analisti di ESET, il gruppo è attivo almeno dal 2022 e ha attaccato organizzazioni nelle Filippine, in Cambogia, negli Emirati Arabi Uniti, in Cina e a Hong Kong. Tra le vittime di TheWizards ci sono singoli individui, società di gioco d’azzardo e altre organizzazioni.
Nei loro attacchi, gli hacker criminali utilizzano uno strumento personalizzato chiamato Spellbinder, che sfrutta abusa della funzionalità IPv6 Stateless Address Autoconfiguration (SLAAC) per eseguire attacchi SLAAC. Si tratta di una funzionalità del protocollo di rete IPv6 che consente ai dispositivi di configurare automaticamente i propri indirizzi IP e il gateway predefinito senza utilizzare un server DHCP. Invece, i messaggi Router Advertisement (RA) vengono utilizzati per ottenere indirizzi IP dai router abilitati IPv6.
pellbinder sfrutta questa funzionalità inviando falsi messaggi RA e facendo in modo che i sistemi vicini ottengano automaticamente un nuovo indirizzo IPv6, nuovi server DNS e un nuovo gateway IPv6 preferito. L’indirizzo di questo gateway è l’indirizzo IP di Spellbinder, che consente agli aggressori di intercettare le connessioni e reindirizzare il traffico attraverso i server da loro controllati.
“Spellbinder invia un pacchetto multicast RA ogni 200 ms a ff02::1 (tutti i nodi). I computer Windows sulla rete con IPv6 abilitato si configureranno automaticamente utilizzando la configurazione automatica degli indirizzi stateless (SLAAC) utilizzando le informazioni fornite nel messaggio RA e inizieranno a inviare traffico IPv6 al computer che esegue Spellbinder, dove i pacchetti verranno intercettati, analizzati e, se necessario, verrà fornita una risposta”, spiega ESET.
Secondo i ricercatori, Spellbinder viene distribuito utilizzando l’archivio AVGApplicationFrameHostS.zip, che viene decompresso in una directory che imita un software legittimo: %PROGRAMFILES%\AVG Technologies.
Questa directory contiene AVGApplicationFrameHost.exe, wsc.dll, log.dat e una copia legittima di winpcap.exe. L’eseguibile WinPcap viene utilizzato per caricare il file dannoso wsc.dll, che carica Spellbinder nella memoria.
Una volta infettato un dispositivo, Spellbinder inizia a intercettare e analizzare il traffico di rete, monitorando i tentativi di connessione a diversi domini, come quelli associati ai server di aggiornamento software cinesi.
Secondo gli esperti, il malware traccia i domini appartenenti alle seguenti aziende: Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Youdao, Xiaomi, Xiaomi Miui, PPLive, Meitu, Qihoo 360 e Baofeng.
Lo strumento reindirizza le richieste di download e installazione di aggiornamenti dannosi, che alla fine distribuiscono la backdoor WizardNet sui sistemi delle vittime. Fornisce agli aggressori un accesso permanente al dispositivo infetto e consente loro di installare ulteriore malware.
Per proteggersi da tali attacchi, ESET consiglia alle organizzazioni di monitorare attentamente il traffico IPv6 o di disattivare del tutto il protocollo se non viene utilizzato nella loro infrastruttura.
L'articolo Hacker cinesi usano IPv6 per infettare Windows: il pericoloso attacco di TheWizards proviene da il blog della sicurezza informatica.
Nebula Mouse: The 6-DOF You Build Yourself
Let’s say your CAD workflow is starving for spatial awareness. Your fingers yearn to push, twist, and orbit – not just click. Enter the Nebula Mouse. A 6-DOF DIY marvel, blending 3D printing, magnets, and microcontroller wizardry into a handheld input device that emulates the revered 3DConnexion SpaceMouse – at a hacker price. It’s wireless, RGB-lit, powered by a chunky 1500mAh cell, and fully configurable through standard apps. The catch? You print and build it yourself, with a little help of [DoTheDIY]’s design files.
This isn’t some half-baked enclosure on Thingiverse. The Nebula’s internals are crafted with the kind of precision that makes you file plastic for hours just to fit weights correctly. Hall effect sensors track real-world movement in all axes; a Seeed Xiao nRF52840 handles Bluetooth duty. It’s hefty (280g), intentional, and smartly designed: auto-wake, USB-C, even a diffused LED bezel for night-time geek cred. Just beware that screw lengths matter. Misplace a 20mm and you’ll hear the soft crack of PCB grief. No open firmware either – you’ll get compiled code only, unlocked per build via Discord.
In short: it’s not open source, but it is deeply open-ended. If your fingers itch after having seen the SpaceMouse teardown of last month, this one’s for you.
3D Print Your Own Injection Molds, Ejector Pins and All
3D printing is all well and good for prototyping, and it can even produce useful parts. If you want real strenght in plastics, though, or to produce a LOT of parts, you probably want to step up to injection molding. As it turns out, 3D printing can help in that regard, with injection molding company [APSX] has given us a look at how it printed injection molds for its APSX-PIM machine.
The concept is simple enough—additive manufacturing is great for producing parts with complex geometries, and injection molds fit very much under that banner. To demonstrate, [APSX] shows us a simple injection mold that it printed with a Formlabs Form3+ using Rigid 10K resin. The mold has good surface finish, which is crucial for injection molding nice parts. It’s also fitted with ejection pins for easy part removal after each shot of injection molded plastic. While it’s not able to hold up like a traditional metal injection mold, it’s better than you might think. [APSX] claims it got 500 automatic injection cycles out of the mold while producing real functional parts. The mold was used with the APSX-PIM injection molding machine squirting polypropylene at a cycle time of 65 seconds, producing a round part that appears to be some kind of lid or gear.
This looks great, but it’s worth noting it’s still not cheap to get into this sort of thing. On top of purchasing a Formlabs Form3+, you’ll also need the APSX-PIM V3, which currently retails for $13,500 or so. Still, if you regularly need to make 500 of something, this could be very desirable. You could get your parts quicker and stronger compared to running a farm of many 3D printers turning out the same parts.
We’ve seen similar projects along these lines before. The fact is that injections molds are complicated geometry to machine, so being able to 3D print them is highly desirable. Great minds and all that. Video after the break.
youtube.com/embed/VazxnBSpxJ0?…
Water Drops Serve as Canvas for Microchemistry Art
If you’re like us and you’ve been wondering where those viral videos of single water drop chemical reactions are coming from, we may have an answer. [yu3375349136], a scientist from Guangdong, has been producing some high quality microchemistry videos that are worth a watch.
We do wish there was a bit more substance to the presentation, and we’re aware not all readers will be thrilled to point their devices to Douyin (known outside of China as TikTok) to view them, but we have to admit some of the reactions are beautiful.
If you’re interested in other science-meets-art projects, how about thermal camera landscapes of Iceland, and given the comments on some of these videos, how do you tell if it’s AI or real anyway?
3D printed downspout makes life just a little nicer
Sometimes, a hack solves a big problem. Sometimes, it’s just to deal with something that kind of bugs you. This hack from [The Stock Pot] is in the latter category, replacing an ugly, redundant downspout with an elegant 3D-printed pipe.
As [The Stock Pot] so introspectively notes, this was not something that absolutely required a 3D print, but “when all you have a hammer, everything is a nail, and 3D printing is [his] hammer.” We can respect that, especially when he hammers out such a lovely print.
By modeling this section of his house in Fusion360, he could produce an elegantly swooping loft to combine the outflow into one downspout. Of course the assembly was too big to print at once, but any plumber will tell you that ABS welds are waterproof. Paint and primer gets it to match the house and hopefully hold up to the punishing Australian sun.
This is the first time we’ve posted work from [The Stock Pot] but we will be watching his career (and YouTube channel) with interest. The video, embedded below, is a good watch and a reminder than not every project has to be some grand accomplishment. Sometimes, it can be as simple as keeping you from getting annoyed when you step into your backyard.
We’ve seen raintwater collection hacks before; some of them a lot less orthodox. Of course when printing with ABS like this, one should always keep in mind the ever-escalating safety concerns with the material.
youtube.com/embed/xw6DmG80SzA?…
Round Displays Make Neat VU Meters
You can still get moving-needle meters off the shelf if you desire that old school look in one of you projects. However, if you want a more flexible and modern solution, you could use round displays to simulate the same thing, as [mircemk] demonstrates.
At the heart of the build is an ESP32 microcontroller, chosen for its fast clock rate and overall performance. This is key when drawing graphics to a display, as it allows for fast updates and smooth movement — something that can be difficult to achieve on lesser silicon. [mircemk] has the ESP32 reading an audio input and driving a pair of GC9A01 round displays, which are the perfect form factor for aping the looks of a classic round VU meter. The project write-up goes into detail on the code required to simulate the behavior of a real meter, from drawing the graphics to emulating realistic needle movements, including variable sweep rates and damping.
The cool thing about using a screen like this is the flexibility. You can change the dials to a different look — or to an entirely different kind of readout — at will. We’ve seen some of [mircemk]’s projects before, too, like this capable seismometer. Video after the break.
youtube.com/embed/kKqEtkJZw0g?…
Keebin’ with Kristina: the One with the Bobblehead
No, see, it’s what’s inside that counts. Believe it or not, [nobutternoparm] retrofitted this innocent, adorable little tikes® so-called “Kidboard” rubber-dome keyboard into a mechanical marvel. Yeah! No, it wasn’t exactly pure, unadulterated fun, nor was it easy to do. But then again nothing worth doing ever is.
Next problem: a real PCB and mechanical switches (Gateron Baby Kangaroos) are a lot taller than the previous arrangement. This required spacers, a mounting plate, and longer screws to hold it all together. Now imagine lining all that up and trying to keep it that way during assembly.
And then there’s the keycaps. Guess what? They’re non-standard because they’re for rubber domes. So this meant more adapters and spacers. You’ll see in the gallery.
So we know it looks great, but how does it type? Well… [nobutternoparm] gives the feel a 4/10. The keycaps now have too many points of contact, so they bind up and have to be mashed down. But it’s going to be a great conversation piece.
With a Little Luck, You Could Fly On Wings
Before you ask, unfortunately, Wings doesn’t seem to be open-source, at least not as of this writing. But based on the comments in the reddit thread, [MoreFruit3042] seems willing to build them for some undisclosed cost.
I really dig the lowered thumb clusters and the fact that they aren’t overloaded with keys. There are low-profile Kailh Chocs under there, which makes for quite a slim keyboard.
Wings runs QMK, has RGB lighting, and supports real-time key-mapping with VIAL. Be sure to check out the build video below.
youtube.com/embed/4I5uRmg3ftQ?…
The Centerfold: A Truly Ergonomic Meal
Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!
Historical Clackers: To the Victor Go the Spoils
The Victor was patented in 1889 and produced until 1892 by the Tilton Manufacturing Company of Boston, Massachusetts. It was invented by Arthur Irving Jacobs.
Probably the most noteworthy factoid about the Victor Type-Writer is that it was the first production typewriter ever to employ a daisy wheel. This significant achievement showed up in typewriters all throughout the 1970s and 80s. My IBM Wheelwriter 5 uses a daisy wheel, as do my Brother machines.
The Victor is of course an index typewriter, as evidenced by the lack of keyboard. To use it, you would simply move the guide to the letter you wanted, which moved the daisy wheel simultaneously. Then you’d press the innermost left-hand key to swing the hammer and strike the daisy wheel against the paper. The outer left-hand key is the Space bar.
Victors were 8″ by 12″ in their footprint and weighed around 5.25 lbs. They came with wooden cases that were either rectangular or contoured to the shape. The Victor cost $15, which is close to $500 in 2025 money.
Finally, There’s Gonna Be a Christopher Latham Sholes Bobblehead
So, this happened. Someone went and made a Christopher Latham Sholes bobblehead. You know, the guy who is responsible for the QWERTY layout.
I’m not sure if this is an honor or an insult. But hey, at least it will probably resemble Sholes more than would one of those Funko things. Plus, it’ll actually do something.
Here’s hoping the bobblehead itself looks like this image at least in part. One can only wish that there will be a typewriter involved. (Doesn’t there almost have to be?)
This thing is currently available for pre-order for the low price of $35. You can either have it shipped, or you can pick it up at QWERTYFEST MKE (that means Milwaukee, WI), being held October 3-5.
So what’s the connection? Sholes hailed from Milwaukee, where was a noted newspaper publisher, politician, and of course, a successful commercial typewriter inventor. Do I want one of these? I may or may not be nodding my head right now.
Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.
Creative PCB Business Cards are Sure to Make an Impression
Business cards are a simple way to share contact information, but a memorable design can make them stand out. [Jeremy Cook] has been experimenting with adding artistic finishes to PCBs, and has recently applied what he’s learned to make some unique business cards. His write-up consolidates some great resources to get you started in making your own PCB business cards, as well as PCB art in general
To make his cards stand out, he designed them to serve as functional tools beyond sharing contact information. He created two designs: one incorporates an LED and a coin cell battery holder, while the other includes drafting tools, such as a ruler, circle stencils, and a simplified protractor.
While the classic PCB solder mask is green, many board houses now offer alternative finishes and colors to enhance designs. He tested and compared the offerings from various manufacturers, highlighting the importance of researching fabrication options early, as different providers offer a variety of finishes. His creative approach shines in details like using through-hole pads as eyes in a robot illustration, making them stand out against a halftone dot pattern.
If you’re looking for more inspiration, be sure to check out the winners of our 2024 Business Card Challenge.
What Happened to WWW.?
Once upon a time, typing “www” at the start of a URL was as automatic as breathing. And yet, these days, most of us go straight to “hackaday.com” without bothering with those three letters that once defined the internet.
Have you ever wondered why those letters were there in the first place, and when exactly they became optional? Let’s dig into the archaeology of the early web and trace how this ubiquitous prefix went from essential to obsolete.
Where Did You Go?
It may shock you to find out that the “www.” prefix was actually never really a key feature or necessity at all. To understand why, we need only contemplate the very first website, created by Tim Berners-Lee at CERN in 1990. Running on a NeXT workstation employed as a server, the site could be accessed at a simple URL: “http//info.cern.ch/”—no WWW needed. Berners-Lee had invented the World Wide Web, and called it as such, but he hadn’t included the prefix in his URL at all. So where did it come from?
As it turns out, the www prefix largely came about due to prevailing trends on the early Internet. It had become typical to separate out different services on a domain by using subdomains. For example, a company might have FTP access on ftp.company.com/feed/, while the SMTP server would be accessed via the smpt.company.com subdomain. In turn, when it came to establish a server to run a World Wide Web page, network administrators followed existing convention. Thus, they would put the WWW server on the www. subdomain, creating company.com/feed/.
This soon became standard practice, and in short order, was expected by members of the broader public as the joined the Internet in the late 1990s. It wasn’t long before end users were ignoring the http:// prefix at the start of domains, as web browsers didn’t really need you to type that in. However, www. had more of a foothold in the public consciousness. Along with “.com”, it became an obvious way for companies to highlight their new fancy website in their public facing marketing materials. For many years, this was simply how things were done. Users expected to type “www” before a domain name, and thus it became an ingrained part of the culture.
Eventually, though, trends shifted. For many domains, web traffic was the sole dominant use, so it became somewhat unnecessary to fold web traffic under its own subdomain. There was also a technological shift when the HTTP/1.1 protocol was introduced in 1999, with the “Host” header enabling multiple domains to be hosted on a single server. This, along with tweaks to DNS, also made it trivial to ensure “www.yoursite.com” and “yoursite.com” went to the same place. Beyond that, fashion-forward companies started dropping the leading www. for a cleaner look in marketing. Eventually, this would become the norm, with “www.” soon looking old hat.
Of course, today, “www” is mostly dying out, at least as far as the industry and most end users are concerned. Few of us spend much time typing in URLs by hand these days, and fewer of us could remember the last time we felt the need to include “www.” at the beginning. Of course, if you want to make your business look out of touch, you could still include www. on your marketing materials, but people might think you’re an old fuddy duddy.
Using the www. prefix can still have some value when it comes to cookies, however. If you don’t use the prefix and someone goes to yoursite.com, that cookie would be sent to all subdomains. However, if your main page is set up at yoursite.com/feed/, it’s effectively on it’s own subdomain, along with any others you might have… like store.yoursite.com, blog.yoursite.com, and so on. This allows cookies to be more effectively managed across a site spanning multiple subdomains.
In any case, most browsers have taken a stance against the significance of “www”. Chrome, Safari, Firefox, and Edge all hide the prefix even when you are technically visiting a website that does still use the www. subdomain (like microsoft.com/feed/). You can try it yourself in Chrome—head over to a www. site and watch as the prefix disappears from the taskbar. If you really want to know if you’re on a www subdomain or not, though, you can click into the taskbar and it will give you the full URL, HTTP:// or HTTPS:// included, and all.
The “www” prefix stands as a reminder that the internet is a living, evolving thing. Over time, technical necessities become conventions, conventions become habits, and habits eventually fade away when they no longer serve a purpose. Yet we still see those three letters pop up on the Web now and then, a digital vestigial organ from the early days of the web. The next time you mindlessly type a URL without those three Ws, spare a thought for this small piece of internet history that shaped how we access information for decades. Largely gone, but not yet quite forgotten.
Bambini e adolescenti nel mirino del web: la Polizia Postale svela le nuove minacce digitali
“La protezione dei diritti di bambini e adolescenti rappresenta una priorità per la Polizia di Stato e richiede un’attenta valutazione delle minacce emergenti, l’impiego di tecnologie innovative e un approccio metodologico e operativo in linea con lo sviluppo dei mezzi di comunicazione che possa consentire nuove prospettive in termini di conoscenza e interazione sociale.
Negli ultimi anni, abbiamo assistito all’incremento di nuovi trend, tra cui l’uso dell’intelligenza artificiale generativa e di strumenti volti a garantire l’anonimato nel web. Queste tecnologie avanzate aprono nuove frontiere per la creatività e l’innovazione, ma allo stesso tempo introducono minacce inedite.
Le competenze della Specialità in materia di tutela dei minori si sono ampliate in questo panorama complesso grazie a disposizioni normative volte a rafforzare il sistema di protezione e a contrastare fenomeni come il cyberbullismo e bullismo, le tendenze giovanili emergenti, incluse le challenge – sfide rischiose diffuse sui social network – che hanno incrementato i pericoli per i ragazzi nel contesto digitale. I social media, le piattaforme di messaggistica e i nuovi strumenti digitali sono considerati dagli adolescenti ambienti privilegiati per creare e mantenere relazioni sociali.
Tuttavia, i pericoli della rete sono numerosi: i minori possono essere vittime di adescamento (grooming) o essere spinti da predatori online a produrre immagini intime, con il rischio di incorrere in minacce come la pedopornografia, il revenge porn e la sextortion.
Possono altresì subire atti di prepotenza, scherzi crudeli e molestie da parte di coetanei, spesso durante le sessioni di gioco online (cyberbullismo), oltre a rischiare violazioni della privacy o truffe informatiche (romance scam). La rete può anche offrire spazi di confronto e supporto emotivo tra coetanei, ma talvolta questi ambienti si trasformano in luoghi di condivisione di disagi psicologici, autolesionismo o disturbi alimentari. Inoltre, contenuti inappropriati risultano facilmente accessibili anche ai più piccoli, diventando un mezzo per esplorare precocemente la sessualità e partecipare a gruppi chiusi in cui si scambiano immagini di ogni genere, comprese rappresentazioni di violenza estrema, come il materiale “gore”.
La Polizia Postale, nel più ampio e complesso scenario della sicurezza online, con l’adozione di metodologie investigative all’avanguardia improntate alla cooperazione internazionale con tutte le Polizie del mondo e attraverso la promozione di una cooperazione sempre più stretta tra il settore pubblico e privato, ha strutturato l’impegno in un incessante monitoraggio della rete per fronteggiare tutti i rischi del web. L’attività preventiva e di contrasto ha posto come obiettivo prioritario la tutela dei minori e delle vittime vulnerabili con particolare attenzione nella fase della crescita della consapevolezza nella navigazione in rete.
La Giornata Nazionale contro la Pedofilia e Pedopornografia è un momento per riaffermare questo impegno e per rinnovare la nostra determinazione nella lotta a un crimine senza confini, che si evolve al passo con la tecnologia.”
Queste le parole riportate dal Direttore del Servizio Polizia Postale e per la sicurezza cibernetica
Ivano Gabrielli nella prefazione del documento “INTERNET, TANTE STORIE DA RACCONTARE INSIEME…” che vi invitiamo a leggere con attenzione.
C’è molto da fare, per questo occorre che tutti quanti facciano la propria parte: genitori, educatori, istituzioni, aziende tech e cittadini e aiutare la Polizia Postale a fare il loro lavoro. Non possiamo voltarci dall’altra parte. È fondamentale comprendere le difficoltà dei ragazzi, ascoltarli, accompagnarli e proteggerli nei loro percorsi digitali. Non bisogna mai aver paura di denunciare: segnalare situazioni sospette o pericolose è un atto di responsabilità e coraggio, non una colpa. La sicurezza dei bambini e degli adolescenti online dipende da un impegno collettivo e concreto, ogni giorno.
L'articolo Bambini e adolescenti nel mirino del web: la Polizia Postale svela le nuove minacce digitali proviene da il blog della sicurezza informatica.
Rayhunter Sniffs Out Stingrays for $30
These days, if you’re walking around with a cellphone, you’ve basically fitted an always-on tracking device to your person. That’s even more the case if there happens to be an eavesdropping device in your vicinity. To combat this, the Electronic Frontier Foundation has created Rayhunter as a warning device.
Rayhunter is built to detect IMSI catchers, also known as Stingrays in the popular lexicon. These are devices that attempt to capture your phone’s IMSI (international mobile subscriber identity) number by pretending to be real cell towers. Information on these devices is tightly controlled by manufacturers, which largely market them for use by law enforcement and intelligence agencies.
To run Rayhunter, all you need is an Orbic RC400L mobile hotspot, which you can currently source for less than $30 USD online. Though experience tells us that could change as the project becomes more popular with hackers. The project offers an install script that will compile the latest version of the software and flash it to the device from a computer running Linux or macOS — Windows users currently have to jump through a few extra hoops to get the same results.
Rayhunter works by analyzing the control traffic between the cell tower and the hotspot to look out for hints of IMSI-catcher activity. Common telltale signs are requests to switch a connection to less-secure 2G standards, or spurious queries for your device’s IMSI. If Rayhunter notes suspicious activity, it turns a line on the Orbic’s display red as a warning. The device’s web interface can then be accessed for more information.
While IMSI catchers really took off on less-secure 2G networks, there are developments that allow similar devices to work on newer cellular standards, too. Meanwhile, if you’ve got your own projects built around cellular security, don’t hesitate to notify the tipsline!
Can we fix the digital transatlantic relationship?
WELCOME BACK TO DIGITAL BRIDGE. I'm Mark Scott, and this weekend marked May 4th — also known as Star Wars Day, for those who follow such things. This video plays in my head every time I have to explain the Star Wars basics to a non-fan.
For anyone in Brussels on May 15, I'll be co-hosting a tech policy gathering in the EU Quarter. We're running a waiting list, so add your name here and we'll try to open up some more slots.
— The transatlantic relationship on tech is in the worst shape in decades. Here are some ways to improve it — even if wider political tension remain.
— A far-right candidate won the first round of Romania's presidential election. Europe has not responded well to the digital fall-out.
— Media freedom has been significantly curtailed over the last decade amid people's shift toward social media for their understanding of the world.
Let's get started:
StealC V2: anatomia di un malware moderno e modulare
Nel vasto arsenale del cybercrimine, una categoria di malware continua ad evolversi con una velocità e una precisione quasi industriale: gli information stealer. Questi strumenti, nati inizialmente per sottrarre dati di autenticazione dai browser, sono ormai diventati sofisticate piattaforme di raccolta dati, persistenti e scalabili. Tra questi, StealC rappresenta una delle implementazioni più dinamiche e pericolose degli ultimi anni.
La versione 2 di StealC, apparsa sul radar a marzo 2025, ne segna un’evoluzione profonda, sia dal punto di vista strutturale che operativo. Questo articolo vuole essere una disamina tecnica completa, arricchita dall’analisi comportamentale visuale ottenuta tramite una sandbox dinamica, e rivolta a professionisti del settore che vogliono comprendere il vero impatto di questo stealer nell’ecosistema delle minacce contemporanee.
Chi è StealC? Breve storia e contesto
StealC è emerso nel 2023 come un infostealer generico, spesso usato da threat actor di medio livello per campagne di phishing e malware-as-a-service (MaaS). Sfruttava già da allora un approccio modulare, basato su loader custom e comunicazioni C2 mascherate.
Negli ultimi mesi del 2024 e nei primi del 2025, gli analisti di Zscaler e altri team di threat intelligence hanno osservato una crescita esponenziale di varianti, con l’introduzione della versione 2 (V2) come vero e proprio salto architetturale. Si tratta, a tutti gli effetti, di un framework di cyber spionaggio: un sistema flessibile, adattivo e dotato di un builder integrato che permette di personalizzare l’eseguibile finale in base al target.
Analisi di StealC V2
C2 e comunicazione: JSON e RC4
Uno dei cambiamenti principali è l’introduzione di una struttura C2 basata su JSON. Il traffico in uscita utilizza pacchetti ben strutturati, con chiavi e valori che rappresentano lo stato del client infetto, i moduli attivi e le richieste di aggiornamento. Tutto il traffico è cifrato in RC4, una scelta apparentemente obsoleta ma ancora efficace per eludere i controlli superficiali (soprattutto nei casi di SSL inspection parziale).
Architettura modulare e distribuzione payload
StealC V2 può distribuire moduli secondari sotto forma di:
- MSI packages (T1218.007 – Trusted Execution Utility: msiexec.exe),
- Script PowerShell (T1059.001 – Command and Scripting Interpreter: PowerShell),
- File eseguibili camuffati con estensioni arbitrarie o DLL caricate in memoria.
Questi payload sono controllati da regole configurabili basate su:
- Geolocalizzazione IP,
- Hardware ID (T1082 – System Information Discovery),
- Software installato (T1518 – Software Discovery).
Persistenza e evasione
I meccanismi di persistenza si appoggiano su:
- Task Scheduler (T1053.005),
- Chiavi Run e RunOnce del registro (T1547.001),
- Caricamento tramite AppInit_DLLs per DLL hijacking (T1546.010).
L’offuscamento del codice è stato migliorato sensibilmente, con funzioni API risolte dinamicamente tramite hashing, per evitare il matching statico da parte degli AV tradizionali. Le configurazioni sono cifrate in AES con chiave embedded, e il codice presenta segmenti crittografati caricati solo in memoria (T1027 – Obfuscated Files or Information).
Nuove funzionalità: screenshot, file grabber e brute-forcing
Tra le funzionalità nuove o migliorate della V2 troviamo:
Screenshot multi-monitor
Il modulo screenshot ora è in grado di mappare più display, salvando una sequenza di immagini in formato compresso e inviandole via C2 in batch crittografati. La funzione può essere innescata manualmente o automatizzata a intervalli.
File Grabber Unificato
Un solo modulo è in grado di:
- Cercare file per estensione (.docx, .xlsx, .kdbx, .pdf),
- Filtrare per path (Desktop, Downloads, OneDrive),
- Analizzare metadati per evitare duplicati.
Brute-Forcing Server-Side
Un’altra novità è la possibilità di sottoporre credenziali raccolte a un modulo server-side di brute force, che sfrutta dizionari aggiornabili e reporta solo quelle effettivamente valide. Questo permette agli operatori di ridurre la rumore di fondo delle esfiltrazioni.
Grafo comportamentale: analisi della telemetria sandbox
Il grafo allegato rappresenta l’esecuzione osservata in un ambiente sandbox. Ecco alcuni elementi chiave:
- Il nodo iniziale StealC.exe attiva una catena di esecuzione parallela. Ogni linea rappresenta un collegamento parent-child tra processi (es. esecuzione o injection).
- Le relazioni con
[T1059.001]indicano PowerShell scripts eseguiti, probabilmente per:- raccogliere info di sistema (T1082),
- testare la presenza di AV o sandbox (T1497),
- scaricare ulteriori moduli.
- Altri nodi (es.
[T1055]) fanno riferimento a tecniche di Process Injection, usate per migrare in processi legittimi (es. explorer.exe o svchost.exe). - Tecniche come
[T1071.001](web protocols) evidenziano comunicazioni con il C2 via HTTP/HTTPS (eventualmente offuscati come traffico legittimo con header personalizzati o parametri randomizzati). - Alcuni processi secondari si chiudono rapidamente, altri restano attivi in background, suggerendo l’utilizzo di thread asincroni o tecniche di polling remoto.
In sintesi: la struttura modulare e non lineare del malware è pensata per eludere detection comportamentali e confondere l’analisi post-mortem.
Relazione con Amadey e l’ecosistema malware
StealC V2 è stato spesso osservato in combinazione con Amadey, usato come dropper iniziale. In questo schema:
- Amadey infetta il sistema,
- Raccoglie informazioni iniziali,
- Se i criteri sono soddisfatti, viene scaricato StealC,
- Quest’ultimo prende il controllo della fase di esfiltrazione e persistente C2.
Questa collaborazione tra malware è indicativa di un ecosistema cybercriminale maturo, in cui i payload si specializzano e agiscono in sinergia per massimizzare il profitto.
Considerazioni conclusive
StealC V2 non è uno stealer qualsiasi. È un prodotto professionale, destinato a gruppi APT, gruppi di cybercrime organizzato e a operatori che desiderano campagne customizzabili su larga scala. La sua architettura modulare, la configurabilità granulare, e le tecniche di evasione avanzate lo rendono estremamente pericoloso.
Le difese tradizionali non bastano più. Occorre un approccio multilivello:
- EDR con rilevamento comportamentale e memoria (memory scanning),
- SIEM con correlazione di eventi (esecuzioni PowerShell anomale, connessioni esterne su domini appena registrati),
- Restrizioni su PowerShell (modalità ConstrainedLanguage),
- Network monitoring con ispezione TLS profonda,
- E soprattutto training continuo degli utenti, vero primo anello della catena difensiva.
StealC V2 è solo uno dei tanti segnali che ci ricordano quanto l’industria del malware sia oggi una vera e propria supply chain, con ruoli, moduli, logiche di mercato e aggiornamenti continui. Un malware che evolve come un software, ma con un solo obiettivo: rubare, controllare, monetizzare.
L'articolo StealC V2: anatomia di un malware moderno e modulare proviene da il blog della sicurezza informatica.
DK 9x27 La visione d'insieme dell'AI
Proviamo a dare una visione d'insieme del marasma mediatico e culturale che è la cosiddetta Intelligenza Artificiale
spreaker.com/episode/dk-9x27-l…