<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Edoardo Limone</title> <atom:link href="https://www.edoardolimone.com/en/feed/" rel="self" type="application/rss+xml" /> <link>https://www.edoardolimone.com/en/elementor-17618/</link> <description>ICT, Cybersecurity, ed altro ancora...</description> <lastBuildDate>Tue, 17 Dec 2024 16:10:27 +0000</lastBuildDate> <language>en-GB</language> <sy:updatePeriod> hourly </sy:updatePeriod> <sy:updateFrequency> 1 </sy:updateFrequency> <generator>https://wordpress.org/?v=6.7.1</generator> <image> <url>https://www.edoardolimone.com/wp-content/uploads/2017/01/cropped-EL-150x150.png</url> <title>Edoardo Limone</title> <link>https://www.edoardolimone.com/en/elementor-17618/</link> <width>32</width> <height>32</height> </image> <item> <title>Data breach: AIAD</title> <link>https://www.edoardolimone.com/en/2024/12/17/data-breach-aiad/</link> <comments>https://www.edoardolimone.com/en/2024/12/17/data-breach-aiad/#respond</comments> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Tue, 17 Dec 2024 16:06:43 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Data Breach]]></category> <category><![CDATA[Ransomware]]></category> <category><![CDATA[Sicurezza Informatica]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=18626</guid> <description><![CDATA[<p>AIAD is the Federation, member of Confindustria, representing Italian Aerospace, Defence and Security Companies. About AIAD We learn from the AIAD portal that the Federation: It includes almost all the […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/12/17/data-breach-aiad/">Data breach: AIAD</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>AIAD is the Federation, member of Confindustria, representing <strong>Italian Aerospace</strong>, Defence and Security <strong>Companies</strong>.</p> <span id="more-18626"></span> <h2 class="wp-block-heading">About AIAD</h2> <p>We learn from the AIAD portal that the Federation:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>It includes almost all the national high-technology companies that carry out design, production, research and service activities in the civil and military aerospace, naval and military land and electronic systems, cyber and security related sectors. AIAD maintains close and constant relations with national, international and NATO bodies and institutions in order to promote, represent and guarantee the interests of the industry it represents.<br><strong>Significant is the activity carried out in this regard by the NIAG (NATO Industrial Advisory Group) guaranteed through its experts.</strong> The AIAD is a member, representing Italian industry, of the equivalent European Association (ASD). In this context, it is the reference interface for all national and foreign institutions for the coordination of any initiative in which there is a need to represent the industry’s national interests. It drafts and presents industry reports and positions to various government departments and any other foreign institutional organisation. It provides a significant contribution to the development of sector plans to be drawn up by Defence bodies and/or other State Administrations in the areas of Research and Innovation; Procedural, technical and contractual regulations. A close working relationship is now consolidated with the Defence Administration and General Secretariat, as well as with other Ministries such as Foreign Affairs, Enterprise and Made in Italy, University and Scientific Research or Bodies and Institutions such as ENAC, ASI, CNR, etc.. In order to monitor and foster a more effective coordination action in relation to activities and initiatives in the EU sphere, it has its own office in Brussels; there is also a permanent Federation garrison at the Defence General Secretariat to monitor and coordinate initiatives to support the internationalisation of its enterprises and to foster a structured and daily updated dialogue between Defence and Industry.</p> </blockquote> <h3 class="wp-block-heading">More details</h3> <p>It is also important to note the following:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>The AIAD coordinates numerous working groups at national and international level, promotes the organisation of seminar and congress events and collects statistical reports on the trends of the major economic indicators. It is also the interpreter of an intense promotional activity abroad to co-ordinate Italian participation in the most important international events and to organise and co-ordinate the mission abroad of our enterprises but also the visit to Italy of foreign delegations. AIAD provides support through UNAVIA for Standardisation, Training and Personnel Qualification activities. In addition to UNAVIA, AIAD is also a member of ANPAM, the National Association of Manufacturers of Sporting and Civil Arms and Ammunition. The AIAD is a Founding Member of the National Technological Cluster for Aerospace (CTNA) for which it manages the General Secretariat.</p> </blockquote> <h3 class="wp-block-heading">Associates</h3> <figure class="wp-block-image aligncenter size-large is-resized"><img fetchpriority="high" decoding="async" width="1024" height="348" src="https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_03-1024x348.png" alt="Screenshot of the AIAD portal dedicated to federated companies" class="wp-image-18625" style="width:668px;height:auto" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_03-1024x348.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_03-300x102.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_03-768x261.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_03.png 1272w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Screenshot of the AIAD portal dedicated to federated companies</figcaption></figure> <p>Some 229 companies, both private and publicly governed, are members of the AIAD. These include names such as:</p> <ul class="wp-block-list"> <li>AID-Defence Industries Agency (public body)</li> <li>CIRA-Italian Aerospace Research Centre</li> <li>Fincantieri Nextech S.p.A.</li> <li>KNDS Ammo Italy S.p.A.</li> <li>Fabbrica d’Armi Pietro Beretta S.p.A.</li> <li>Fiocchi Munizioni S.p.A.</li> <li>Telespazio S.p.A.</li> </ul> <h2 class="wp-block-heading">What happened</h2> <figure class="wp-block-image aligncenter size-large is-resized"><img decoding="async" width="1024" height="711" src="https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_01-1024x711.png" alt="Vindication of the attack on AIAD published by Argonauts" class="wp-image-18624" style="width:549px;height:auto" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_01-1024x711.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_01-300x208.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_01-768x533.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_01-1536x1066.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_01.png 1714w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Vindication of the attack on AIAD published by Argonauts</figcaption></figure> <p>On 26/10/2024, the Argonauts collective published an attack claim against AIAD. The attack on AIAD is important because it is a federation strongly impacted by the NIS2 Directive which, in the transposition decree<a href="https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2024-09-04;138!vig=" target="_blank" rel="noreferrer noopener">(Legislative Decree 138/2024</a>), includes the <strong>space</strong> sector among the highly critical subjects. As already written, the companies that are part of the Federation deal with sectors that also concern <strong>Defence</strong> and therefore <strong>armaments</strong> and related technologies. What is certain is that, as of the current date (2 December 2024), no news has been published in the ‘News’ section of the AIAD portal.</p> <figure class="wp-block-image aligncenter size-large is-resized"><img decoding="async" width="1024" height="827" src="https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_02-1024x827.png" alt="Screenshot of the 'News' section of the AIAD portal" class="wp-image-18623" style="width:622px;height:auto" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_02-1024x827.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_02-300x242.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_02-768x620.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_02-1536x1241.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/12/Argonauts_AIAD_02.png 1936w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Screenshot of the ‘News’ section of the AIAD portal</figcaption></figure> <p>At the time of writing this article, the Argonauts ad has been consistently averaging 49 visits per day.</p> <h2 class="wp-block-heading">About the Argonauts collective</h2> <p>The Argonauts collective, according to <a href="https://ransomfeed.it/stats.php?page=group-list&group=argonauts&y=2024" target="_blank" rel="noreferrer noopener">Ransomfeed</a>, has an apparently recent history. In 2024, it carried out 10 attacks divided between Taiwan, Italy and Japan (data as of 2/12/2024), with a known exfiltration of only a few gigabytes (around 340 at the time of writing this article). The official portal consists of only a few pages and, at least at the moment, does not include any manifestos describing their activities and motives.</p> <p></p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/12/17/data-breach-aiad/">Data breach: AIAD</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> <wfw:commentRss>https://www.edoardolimone.com/en/2024/12/17/data-breach-aiad/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Data breach: INPS Servizi S.p.A.</title> <link>https://www.edoardolimone.com/en/2024/11/20/data-breach-inps-servizi-s-p-a/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Wed, 20 Nov 2024 21:14:48 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Data Breach]]></category> <category><![CDATA[Public Administration]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=18606</guid> <description><![CDATA[<p>The company INPS Servizi S.p.A. was the subject of a data breach by the LYNX collective, with data exfiltration and interruption of services. Let’s find out more. A lot of […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/11/20/data-breach-inps-servizi-s-p-a/">Data breach: INPS Servizi S.p.A.</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>The company INPS Servizi S.p.A. was the subject of a data breach by the LYNX collective, with data exfiltration and interruption of services. Let’s find out more.</p> <span id="more-18606"></span> <p class="has-cyan-bluish-gray-background-color has-background">A lot of information <strong>is still to be verified</strong>: there is no certainty that it was the Lynx collective, the portal of INPS Servizi S.p.A. is still not working, there are some points to be clarified, but in the meantime we try to make some reflections.</p> <h2 class="wp-block-heading">What happened</h2> <p>It would appear that on 18 November 2024, the Lynx collective attacked and exfiltrated the data of the company INPS Servizi S.p.A., causing, among other things, the unavailability of the data in the infrastructure.</p> <h3 class="wp-block-heading">About INPS Servizi S.p.A.</h3> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-9.png"><img loading="lazy" decoding="async" width="1024" height="522" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-9-1024x522.png" alt="The image shows the INPS Servizi S.p.A. organisation chart" class="wp-image-18605" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-9-1024x522.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-9-300x153.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-9-768x391.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-9-1536x782.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-9.png 1600w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">The image shows the INPS Servizi S.p.A. organisation chart</figcaption></figure> <p>On <a href="https://www.linkedin.com/company/inps-servizi-spa/?originalSubdomain=it" target="_blank" rel="noreferrer noopener">LinkedIn</a> we read that</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>INPS Servizi SpA is an in-house providing joint-stock company wholly owned by INPS, established on 11 June 2021. INPS Servizi manages the Multichannel Contact Centre service for the Institute’s users. It provides administrative and accounting services to public and private social security and welfare institutions and funds, and to bilateral bodies, as well as services related to INPS’s institutional tasks.</p> </blockquote> <p>With regard to the IT infrastructure disruptions, it should be noted that on 20 November 2024 at 14:20, the company’s official portal<a href="https://www.inpsservizi.it/" target="_blank" rel="noreferrer noopener">(https://www.inpsservizi.it/)</a> was not reachable. However, it was possible to obtain a more extensive description of INPS Servizi S.p.A. from an <a href="https://web.archive.org/web/20241113115252/https://www.inpsservizi.it/chi-siamo/" target="_blank" rel="noreferrer noopener">old version of</a> the portal thanks to the Way Back Machine.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>NPS Servizi S.p.a. is an in-house providing joint-stock company wholly owned by INPS, which came into existence on 11 June 2021 following the amendment of the name, corporate purpose and bylaws of Italia Previdenza SISPI S.p.a.. These amendments were arranged on the basis of the provisions contained in Article 5bis of Decree-Law 101/2019, converted with amendments by Law 128/2019, which provided for the entrusting to INPS Servizi S.p.a. of the multi-channel contact centre (CCM) activities towards the Social Security Institute’s users and the continuation of the activities that already constituted the corporate purpose of Italia Previdenza SISPI S.p.a, which had been set up in 2001, with the task of providing administrative/accounting products/services, in particular for the collection of contributions and the payment of benefits for complementary and supplementary pension funds, and research and advisory services for the market in the area of social security and assistance in general. Until the date of its transformation into INPS Servizi S.p.a., the company was involved in the following activities and services, which will continue to be performed in conjunction with the multi-channel contact centre service:</p> <ul class="wp-block-list"> <li>activities aimed at settling, in favour of Poste Spa employees, the severance indemnities accrued up to 28 February 1998, the date of transformation of Ente Poste into a joint-stock company, which are materially disbursed by the Gestione Commissariale Fondo Buonuscita for Poste Italiane S.p.a. employees;</li> <li>Provision of the data contained in F24 and Uniemens flows, together with other administrative services, required by the bilateral bodies for the acquisition of contributions and for other institutional purposes provided for by collective bargaining in favour of workers employed by companies applying the collective bargaining agreements;</li> </ul> <p>As stipulated in its statutes, INPS Servizi can provide administrative accounting services to public and private social security and welfare institutions and funds. Until 2020, the company also handled the following activities:</p> <ul class="wp-block-list"> <li>Administrative service in favour of FONDINPS, a residual supplementary pension fund set up at INPS under Legislative Decree No 252\2005 and intended for employees of companies without a contractual fund and who have not made explicit the destination of their TFR. In accordance with the law, since 2020 the Fund has been placed in liquidation and the positions of its members have been transferred to the COMETA Pension Fund, which now manages the residual complementary pension form in place of FONDINPS.</li> <li>Horizontal Secretariat and Component activities, within the European Cooperation Project called “EU-China – Social Protection Reform Project SPRP”, which from 2016 to 2019 had the task of providing the Chinese government authorities with expert support for the revision of the social protection system.</li> </ul> </blockquote> <h3 class="wp-block-heading">History of events</h3> <ul class="wp-block-list"> <li>18/11/2024-Presumed date of infection of INPS Servizi S.p.A.</li> <li>19/11/2024-INPS Servizi S.p.A. communicated the data breach to suppliers (e.g. QuAS)</li> <li>22/11/2025-INPS Servizi S.p.A. activates temporary portal</li> </ul> <h3 class="wp-block-heading">Lynx ransomware: historical traits and spread</h3> <p>About the Lynx collective, however, a few things are known thanks to the <a href="https://www.ransomfeed.it" target="_blank" rel="noreferrer noopener">Ransomfeed</a> project: the collective was the author of 49 attacks in 2024, but never against Italy. The countries affected so far included Australia, Canada, Costa Rica, Guatemala, Luxembourg, the Netherlands, the Republic of Cape Verde, Singapore, Spain, Great Britain and the United States of America. Now Lynx can also include Italy in its list.</p> <p>From the PaloAlto researchers, however, we <a href="https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/" target="_blank" rel="noreferrer noopener">learn</a> something different:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>In July 2024, researchers at Palo Alto Networks discovered a successor to the INC ransomware called Lynx. Since its emergence, the group behind this ransomware has actively targeted organisations in various sectors such as retail, real estate, architecture, and financial and environmental services in the US and UK. Lynx ransomware shares a significant part of its source code with INC ransomware. The INC ransomware initially emerged in August 2023 and had variants compatible with both Windows and Linux. Although we have not yet confirmed any Linux samples for Lynx ransomware, we have noticed Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model.</p> </blockquote> <p>Lynx’s activity has been tracked by PaloAlto over time and encapsulated in a graph below.</p> <figure class="wp-block-image aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="408" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-13-1024x408.png" alt="Graph on the evolution of Lynx ransomware provided by the company PaloAlto Network" class="wp-image-18602" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-13-1024x408.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-13-300x120.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-13-768x306.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-13-1536x612.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-13.png 1757w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Graph on the evolution of Lynx ransomware provided by the company PaloAlto Network</figcaption></figure> <p>The group’s official portal clearly states the motivations of the Lynx group.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>Lynx Ransomware’s core motivation is grounded in financial incentives, with a clear intention to avoid undue harm to organisations. We recognise the importance of ethical considerations in the pursuit of financial gain and maintain a strict policy against targeting governmental institutions, hospitals, or non-profit organisations, as these sectors play vital roles in society. Our operational model encourages dialogue and resolution rather than chaos and destruction. We believe that fostering an environment where businesses can engage in constructive problem-solving can lead to better outcomes for all parties involved. This perspective allows us to engage with organisations in a manner that emphasises negotiation and mutual understanding, generating economic activity while minimising disruption to the essential functions of society. In pursuing these goals, our commitment is to uphold professional standards that prioritise transparency in communication and targeted interactions, thus reinforcing a framework where commerce and cybersecurity can coexist without spilling into unnecessary conflict or harm.</p> </blockquote> <p></p> <p><em>The main motivation for Lynx ransomware is based on financial incentives, with a clear intention to avoid unnecessary damage to organisations. We recognise the importance of ethical considerations in the pursuit of financial gain and maintain a strict policy that excludes the targeting of government institutions, hospitals or non-profit organisations, as these sectors play vital roles in society. Our operating model encourages dialogue and resolution rather than chaos and destruction. We believe that fostering an environment where companies can address problems constructively can lead to better outcomes for all parties involved. This perspective allows us to interact with organisations by emphasising negotiation and mutual understanding, generating economic activity and minimising disruption to the essential functions of society. In pursuit of these goals, our commitment is to maintain professional standards that prioritise transparency in communication and targeted interactions, thereby reinforcing a framework in which commerce and cybersecurity can coexist without resulting in unnecessary conflict or damage.</em></p> <p></p> <h3 class="wp-block-heading">Lynx ransomware: the manifesto</h3> <p>A short message is available on the official Lynx blog that should summarise the ‘principles’ on offensives.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>Lynx Ransomware’s core motivation is grounded in financial incentives, with a clear intention to avoid undue harm to organisations. We recognise the importance of ethical considerations in the pursuit of financial gain and maintain a strict policy against targeting governmental institutions, hospitals, or non-profit organisations, as these sectors play vital roles in society. Our operational model encourages dialogue and resolution rather than chaos and destruction. We believe that fostering an environment where businesses can engage in constructive problem-solving can lead to better outcomes for all parties involved. This perspective allows us to engage with organisations in a manner that emphasises negotiation and mutual understanding, generating economic activity while minimising disruption to the essential functions of society. In pursuing these goals, our commitment is to uphold professional standards that prioritise transparency in communication and targeted interactions, thus reinforcing a framework where commerce and cybersecurity can coexist without spilling into unnecessary conflict or harm.</p> </blockquote> <p><em>The main motivation for Lynx ransomware is based on financial incentives, with the clear intention of avoiding excessive damage to organisations. We recognise the importance of ethical considerations in the pursuit of financial gain and maintain a strict policy against targeting government institutions, hospitals or non-profit organisations, as these sectors play vital roles in society. Our operating model encourages dialogue and resolution rather than chaos and destruction. We believe that fostering an environment where companies can address problems constructively can lead to better outcomes for all parties involved. This perspective allows us to interact with organisations in a way that emphasises negotiation and mutual understanding, generating economic activity and minimising disruption to essential societal functions. In pursuit of these goals, our commitment is to maintain professional standards that emphasise transparent communication and purposeful interactions, thus reinforcing a framework in which commerce and cybersecurity can coexist without degenerating into unnecessary conflict or damage.</em></p> <h3 class="wp-block-heading">Lynx ransomware: the blog</h3> <p>Lynx’s blog can currently be found at <a href="http://lynxblog.net/leaks" target="_blank" rel="noreferrer noopener">http://lynxblog.net/leaks</a> and points to the address: 88.151.117.237:</p> <pre class="wp-block-preformatted">inetnum: 88.151.117.0 - 88.151.117.254<br>netname: RU-DLINE-20220513<br>country: RU<br>org: ORG-DLM6-RIPE<br>admin-c: DLM62-RIPE<br>tech-c: DLM62-RIPE<br>status: ASSIGNED PA<br>mnt-by: IP-RIPE<br>created: 2022-05-12T23:16:20Z<br>last-modified: 2022-05-12T23:16:23Z<br>source: RIPE<br><br>organisation: ORG-DLM6-RIPE<br>org-name: Goroshko Evgeniy Andreevich<br>country: RU<br>org-type: OTHER<br>address: mkr. Rostoshi, ul. Sadovoe Koltso, d. 116<br>address: 460008 Orenburg<br>address: Russia<br>abuse-c: DLM62-RIPE<br>mnt-ref: IP-RIPE<br>mnt-by: IP-RIPE<br>created: 2020-11-01T11:16:28Z<br>last-modified: 2024-04-23T10:52:04Z<br>source: RIPE # Filtered<br><br>role: DLine Media<br>address: mkr. Rostoshi, ul. Sadovoe Koltso, d. 116<br>address: 460008 Orenburg<br>address: Russia<br>abuse-mailbox: info@dline-media.com<br>phone: +7 985 6640514<br>nic-hdl: DLM62-RIPE<br>mnt-by: IP-RIPE<br>created: 2020-11-01T11:15:36Z<br>last-modified: 2020-11-01T11:15:36Z<br>source: RIPE # Filtered</pre> <p>We are therefore talking about Russian-hosted hosting.</p> <h3 class="wp-block-heading">Lynx ransomware: some technical information</h3> <p>The activity carried out by Lynx ransomware is known as a variant of the previous INC Ransomware, about which PaloAlto Network states:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>The Lynx ransomware samples we analysed used <strong>AES-128 encryption</strong> algorithms <strong>in CTR mode and Curve25519 Woman.</strong> All files are encrypted and have the extension .lynx added. This version of the malware is designed for the Windows platform and is written in the C++ programming language.</p> </blockquote> <p>Regarding the type of encryption used, we learn from <a href="https://code.google.com/archive/p/curve25519-donna/" target="_blank" rel="noreferrer noopener">Google Code</a> that:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>curve25519 is an elliptic curve, developed by Dan Bernstein , for a fast Diffie-Hellman key agreement. The original implementation of DJB was written in a language of his own devising called qhasm . The original source code of qhasm is not available, only the 32-bit x86 assembly output. Since many x86 systems are now 64-bit and portability is important, this project provides alternative implementations for other platforms.</p> </blockquote> <p>The <a href="https://blackpointcyber.com/resources/threat-profile/lynx-ransomware/" target="_blank" rel="noreferrer noopener">Blackpointcyber portal</a> reports that the ransomware encrypts 1 MB of every 6 MB of the file; files smaller than 1 MB are fully encrypted. This differs from INC Ransom in that INC Ransom also offers a ‘fast’ and a ‘slow’ encryption mode. Furthermore, we learn that both Lynx and INC Ransom use the DeviceIoControl function to control devices and delete backup copies. In the Lynx ransomware variant, the DeviceIoControl function only works when both the ‘-file’ and ‘-dir’ arguments are not used.</p> <p>DeviceIoControl is a function of the Windows API that allows applications to communicate directly with device drivers. It is designed to send specific commands or control requests to hardware devices, file systems or drivers, allowing detailed control at the operating system level. The main areas of application include:</p> <ol class="wp-block-list"> <li>Device management: control of specific hardware (such as hard disks, USB devices, or virtual devices).</li> <li>Advanced file system access: operations requiring elevated privileges, such as queries on volumes or partitions.</li> <li>Driver development: testing and debugging of customised drivers.</li> </ol> <p>Since DeviceIoControl allows privileged access, it can be misused for malicious purposes, such as bypassing system protections. It is therefore essential to carefully manage permissions and verify calls. For more information, please refer to <a href="https://learn.microsoft.com/en-us/windows/win32/api/ioapiset/nf-ioapiset-deviceiocontrol" target="_blank" rel="noreferrer noopener">Microsoft’s official documentation</a>.</p> <p>We also learn from the Blackpoint portal that in May 2024, INC Ransom operators offered their source code for sale on a dark web forum for USD 300,000. BlackBerry researchers reported that Lynx and INC Ransom used the same email address, gansbronz{at}gmail{.}com, within specialised web portals.</p> <p>In an <a href="https://www.redhotcyber.com/en/post/rhc-interviews-lynx-ransomware-the-cyber-gang-offering-pentest-services-ensuring-privacy/">interview with RedHotCyber</a>, the collective behind the Lynx ransonware explained that:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>The group describes its activities as exclusively ‘financially motivated’ and a policy that does not allow attacks against critical, government and healthcare facilities</p> </blockquote> <h2 class="wp-block-heading">Data information</h2> <p>INPS Servizi S.p.A. is a remarkable reality: it has more than 2,800 professionals spread over 5 Directorates and 12 operational sites: Bari, Catania, Cosenza, Crotone, Ivrea, L’Aquila, Lecce, Milan, Naples, Olbia, Rome and Terni. The amount of data stolen is therefore potentially considerable.</p> <p>INPS Servizi S.p.A.’s maintenance of the data, had to meet the minimum security requirements of AgID Circular 2/2017, as well as Legislative Decree 138/2024 (the transposition of the NIS 2 Directive). It appears from the Health Insurance Fund for Managers, for which INPS Servizi S.p.A. was the supplier, that the data concerning them was aggregated.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>We would like to point out that the data that Inps Servizi manages for QuAS only relate to the total contributions paid by each company, <strong>without any details concerning individual members</strong>.</p> </blockquote> <p>This reduces the impact of the data breach as far as QuAS is concerned, but the other exfiltrated information remains, which, given the extent of INPS Servizi S.p.A., may not be small.</p> <hr class="wp-block-separator has-alpha-channel-opacity" /> <h2 class="wp-block-heading">Updates on events</h2> <h3 class="wp-block-heading">22/11/2024-22:32-The INPS Services portal is back online</h3> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-23.png"><img loading="lazy" decoding="async" width="1024" height="802" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-23-1024x802.png" alt="" class="wp-image-18593" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-23-1024x802.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-23-300x235.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-23-768x601.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-23-1536x1203.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-23-2048x1604.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> <p>The INPS servizi S.p.A. portal went back online at around 22:32 on 26 November 2024.</p> <h3 class="wp-block-heading">22/11/2024-20:25-The temporary portal of INPS Servizi is online</h3> <p></p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-17.png"><img loading="lazy" decoding="async" width="1024" height="545" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-17-1024x545.png" alt="" class="wp-image-18595" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-17-1024x545.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-17-300x160.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-17-768x409.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-17-1536x817.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-17.png 1785w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> <p>At around 20:25 on 22/11/2024, the temporary portal of INPS Servizi S.p.A. came back online with a message confirming that a cyber attack had taken place and that recovery actions were in progress.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>InpsServizi S.P.A. suffered an IT attack that rendered temporarily unavailable the functions of the Institutional Portal and some management applications. Ongoing actions are focused on restoring the compromised infrastructure in a timely and secure manner.</p> </blockquote> <p>At about 9.40 p.m. the work was in progress, the screen below shows an error which is probably only the temporary result of the restoration work.</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-18.png"><img loading="lazy" decoding="async" width="1024" height="545" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-18-1024x545.png" alt="" class="wp-image-18594" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-18-1024x545.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-18-300x160.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-18-768x409.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-18-1536x817.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-18.png 1785w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">The status of the INPS Servizi S.p.A. portal at 21:41</figcaption></figure> <p>The full message on the page is:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>Fastly error: unknown domain: inpsservizi.it. Please check that this domain has been added to a service.</p> <p>Details: cache-fco2270028-FCO (151.101.131.10)</p> </blockquote> <p></p> <h3 class="wp-block-heading">22/11/2024-17:00-INPS publishes a news item on the incident</h3> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-16.png"><img loading="lazy" decoding="async" width="1024" height="545" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-16-1024x545.png" alt="" class="wp-image-18596" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-16-1024x545.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-16-300x160.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-16-768x409.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-16-1536x817.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-16.png 1785w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">INPS statement on the hacker attack</figcaption></figure> <p>Finally, a news item appears on the INPS portal (after about 4 days since the incident) about what happened to the company INPS Servizi S.p.A.. The full text states the following:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p><strong>INPS: no consequences on our systems following the hacker attack against INPS Servizi SPA</strong></p> <p>There were no consequences on INPS’s IT systems following the hacker attack against INPS Servizi SPA. Late yesterday, INPS Servizi SPA correctly communicated, through a note to press agencies, that it had been subject to a violent computer attack. The Institute clarifies that <strong>INPS and INPS Servizi SPA are two separate entities, and reassures citizens and users that no INPS IT structure has been affected by the attack</strong>, and that <strong>neither the Institute’s functions nor systems have been compromised</strong>. INPS is currently providing active technical and consulting support to facilitate the rapid restoration of INPS Servizi SPA’s full IT operations.</p> </blockquote> <h3 class="wp-block-heading">21/11/2024-09:00-Repubblica publishes the news</h3> <p>As of 09:00, there has still been no official claim of the attack against INPS Servizi S.p.A., but the news has now spread and Repubblica, on 21 November 2024 at 23:31, <a href="https://www.repubblica.it/economia/2024/11/21/news/attacco_hacker_inps_server_bloccati-423682154/?ref=search" target="_blank" rel="noreferrer noopener">published a short article</a> on the case.</p> <figure class="wp-block-image aligncenter size-large is-resized"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_22-Repubblica-INPS-Servizi.png"><img loading="lazy" decoding="async" width="1024" height="1013" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_22-Repubblica-INPS-Servizi-1024x1013.png" alt="Screenshot of the article published by the newspaper Repubblica" class="wp-image-18599" style="width:453px;height:auto" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_22-Repubblica-INPS-Servizi-1024x1013.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_22-Repubblica-INPS-Servizi-300x297.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_22-Repubblica-INPS-Servizi-768x760.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_22-Repubblica-INPS-Servizi.png 1310w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">Screenshot of the article published by the newspaper Repubblica</figcaption></figure> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>ROME – “InpsServizi spa (an in-house company of the Inps) has suffered a ransomware attack that led to the blocking of some servers, making some management applications and data supplied to its customers temporarily unavailable”. This is what is stated in a note from the institute in which it is specified that ‘the incident was promptly reported to all the competent authorities’.</p> </blockquote> <p>In the meantime (12:40 p.m.) on the official INPS website there is no news in the ‘News’ section and the INPS Servizi S.p.A. portal continues to be unreachable.</p> <figure class="wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex"><figure class="wp-block-image size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-15.png"><img loading="lazy" decoding="async" width="1024" height="545" data-id="18597" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-15-1024x545.png" alt="Screenshot of 22 November 2024 12:38 p.m. from the News section of the INPS portal" class="wp-image-18597" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-15-1024x545.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-15-300x160.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-15-768x409.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-15-1536x817.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-15.png 1785w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> <figure class="wp-block-image size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-14.png"><img loading="lazy" decoding="async" width="1024" height="545" data-id="18598" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-14-1024x545.png" alt="Screenshot of 22 November 2024 12:40 p.m. of the INPS Servizi S.p.A. portal still unavailable" class="wp-image-18598" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-14-1024x545.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-14-300x160.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-14-768x409.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-14-1536x817.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-14.png 1785w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> </figure> <h3 class="wp-block-heading">20/11/2024-14:00-no official claim yet from Lynx</h3> <p>At approximately 14:00 hours on 20 November 2024, Lynx had not yet published any data on INPS Servizi S.p.A., the image clearly shows this.</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-12.png"><img loading="lazy" decoding="async" width="1024" height="593" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-12-1024x593.png" alt="Screenshot of the Lynx collective's portal of 20 November 2024 at 14:55 in which the data breach at INPS Servizi S.p.A. is not yet visible." class="wp-image-18603" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-12-1024x593.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-12-300x174.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-12-768x445.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-12-1536x890.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-12-2048x1187.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">Screenshot of the Lynx collective’s portal of 20 November 2024 at 14:55 in which the data breach at INPS Servizi S.p.A. is not yet visible.</figcaption></figure> <h3 class="wp-block-heading">19/11/2024-Confirmation of data breach by QuAS</h3> <p>Despite the fact that no official news appears either on the INPS website or on the official portal of INPS Servizi S.p.A. (which, indeed, is not even online), a statement was published by a customer of INPS Servizi S.p.A. that confirms and circumscribes what happened.</p> <figure class="wp-block-gallery aligncenter has-nested-images columns-default is-cropped wp-block-gallery-2 is-layout-flex wp-block-gallery-is-layout-flex"><figure class="wp-block-image size-full"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2242-Inps-News.png"><img loading="lazy" decoding="async" width="2880" height="1556" data-id="18601" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2242-Inps-News.png" alt="Screenshot of the news section of the INPS portal taken at 22:42 in which no information appears on the incident at INPS Servizi S.p.A." class="wp-image-18601" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2242-Inps-News.png 2880w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2242-Inps-News-300x162.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2242-Inps-News-1024x553.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2242-Inps-News-768x415.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2242-Inps-News-1536x830.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2242-Inps-News-2048x1106.png 2048w" sizes="(max-width: 2880px) 100vw, 2880px" /></a><figcaption class="wp-element-caption">Screenshot of the news section of the INPS portal taken at 22:42 in which no information appears on the incident at INPS Servizi S.p.A.</figcaption></figure> <figure class="wp-block-image size-full"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2210-Quas.png"><img loading="lazy" decoding="async" width="1920" height="958" data-id="18600" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2210-Quas.png" alt="Screenshot of the statement published by QuAS about the ransomware attack." class="wp-image-18600" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2210-Quas.png 1920w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2210-Quas-300x150.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2210-Quas-1024x511.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2210-Quas-768x383.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/2024_11_20-2210-Quas-1536x766.png 1536w" sizes="(max-width: 1920px) 100vw, 1920px" /></a><figcaption class="wp-element-caption">Screenshot of the statement published by QuAS about the ransomware attack.</figcaption></figure> </figure> <p>The news, in fact, was <a href="https://www.quas.it/Content/Index/POP%20UP" target="_blank" rel="noreferrer noopener">published on the QuAS portal</a> (Cassa Assistenza Sanitaria Quadri) of which INPS Servizi S.p.A. is a supplier. The official press release reported by <a href="https://www.ransomfeed.it">Ransomfeed</a> states the following.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p><strong>Warning: Computer attack on the Inps Services provider – Activities to protect members</strong></p> <p>On 19/11/24 INPS Servizi, which provides QuAS with the cumulative data on contributions paid by companies using the F24 form, announced that it had suffered a ransomware attack on 18 November 2024. We would like to clarify that the data that Inps Servizi manages for QuAS only relate to the total contributions paid by each company, without any details relating to individual members.<br>The event is in no way attributable to QuAS, but only affected the systems of Inps Servizi and had no effect on the IT systems of QuAS. QuAS took prompt action to inform the Garante per la protezione dei dati personali and to comply with all legal obligations to protect members. Thank you for your understanding and trust.</p> </blockquote> <p></p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/11/20/data-breach-inps-servizi-s-p-a/">Data breach: INPS Servizi S.p.A.</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>NIS 2: General Considerations</title> <link>https://www.edoardolimone.com/en/2024/11/19/nis-2-general-considerations/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Tue, 19 Nov 2024 12:22:41 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[NIS 2]]></category> <category><![CDATA[Sicurezza Informatica]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=18388</guid> <description><![CDATA[<p>NIS 2 is bringing a number of compliance activities by private companies and public administrations, sometimes not very consistent with the regulations. Let us try to make some reflections on […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/11/19/nis-2-general-considerations/">NIS 2: General Considerations</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>NIS 2 is bringing a number of compliance activities by private companies and public administrations, sometimes not very consistent with the regulations. Let us try to make some reflections on this.</p> <span id="more-18388"></span> <h2 class="wp-block-heading">Generalities on Italian transposition</h2> <p>The European Directive NIS 2 (CELEX 2022/2555) was transposed by Italy by Legislative Decree 138 of 4 September 2024. The transposition introduces some substantial changes to the norm, such as Annex 3 ‘Central, regional, local and other administrations’, in which the list of the P.A. affected by NIS 2 is made explicit. It is therefore not a direct and unchanged transposition, there have been changes that also produce some important misalignments: Article 21, which in the European text contains the<em>‘Obligations concerning risk management measures for information security</em>‘, in the Legislative Decree is found in Article 24. The rule must therefore be read and also carefully because there are significant differences between the two texts.</p> <h2 class="wp-block-heading">Procedures, not just technique</h2> <p>The first common mistake is to consider NIS 2 a regulation based on technical apparatuses; instead, it is a directive that demands the establishment of <strong>procedures</strong>, <strong>policies</strong> and <strong>strategies</strong> i.e. documents. This is stated in the aforementioned Article 24:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>(a) Risk analysis policies…<br>(b) Policies and procedures for evaluating the effectiveness of risk management measures…<br>(c) Policies and procedures relating to the use of encryption…<br>(d) Access control policies….</p> </blockquote> <p>These are some of the security measures and, as you can see, they refer to the management methods and not to the technical systems. This is normal: NIS 2 assumes (correctly) that the technical system is there but that there may not be a well-defined and up-to-date procedure. Therefore, the first aspect to consider is the procedures and thus the completeness of the documents in question.</p> <h2 class="wp-block-heading">Supplier Management</h2> <p>Article 24(2)(d) talks to us about <em>supply chain security</em> and this means that the organisation can ask suppliers to prove their security through certifications, attestations of various kinds and, above all, by formalising how they interact and handle incidents.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>supply chain security, including security aspects concerning the relationship between each entity and its direct suppliers or service providers;</p> </blockquote> <p>This last aspect is always very much neglected: NIS 2 requires a review of supply contracts to see whether they have the correct service levels, the procedures to be implemented for handling IT incidents, and the communication modalities on both sides. The formalisation of these agreements (not necessarily contracts) is often partly lacking within the contractual framework.</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/11/image.png"><img loading="lazy" decoding="async" width="1024" height="113" src="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-1024x113.png" alt="" class="wp-image-18387" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/11/image-1024x113.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-300x33.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-768x84.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image-1536x169.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/11/image.png 1728w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">ISO 27001:2022 includes a security control (5.19) that talks about agreements with the supplier to manage security</figcaption></figure> <p>This is a very important aspect in order to avoid, for instance, the supplier not reporting that it has been the victim of a data breach, in turn exposing the client organisation’s IT ecosystem. On the other hand, however, this also means that organisations using suppliers should check the soundness of the person they intend to hire, and that they should continue to carry out cyclical audits in order to test and guarantee good conduct also during the contractual life of the supplier. This point, therefore, establishes the obligation of <em>ex-ante</em> control, <em>in fieri</em> but also of formalised regulatory procedures for the management of incidents and for the correct communication to those involved. The termination of relations with the supplier must also take place properly, with the closure of accounts and the termination of relations between organisation and customer.</p> <h2 class="wp-block-heading">Race to the standards</h2> <p>When a company chooses to adopt a standard (e.g. ISO 27001 or CSCs), it should ask itself some questions about its sustainability. NIS 2 is a constant fulfilment, just as maintaining the security measures of the standard is constant. The path to certification can be long and complex and in most cases rarely observed. It is therefore not a <em>sticker to be displayed</em>, as it is linked to measures and procedures that must be maintained over time. The choice of a standard compatible with NIS 2 is therefore an activity that must be carried out very carefully.</p> <p>The Italian P.A., by the way, is already obliged to respond to security requirements that, in many cases, are defined within the now almost forgotten (but still mandatory) <a href="https://www.agid.gov.it/it/sicurezza/misure-minime-sicurezza-ict" target="_blank" rel="noreferrer noopener">AgID Circular 2/2017</a> bearing the ‘Minimum ICT Security Measures for Public Administration’ and based on the famous <a href="https://www.edoardolimone.com/?s=csc" target="_blank" rel="noreferrer noopener">CIS Critical Security Controls.</a></p> <h2 class="wp-block-heading">The wrong attitude</h2> <p>The most mistaken attitude in terms of the adoption of the NIS 2 Directive is precisely to minimise its consequences. Firstly because the Italian transposition of NIS 2 is wide-ranging and includes substantially all public entities and a large part of private organisations. Secondly because, in the event of an inspection, there would be a concatenation of failures that would not only concern the requirements of NIS 2 but, in the public, could also concern other regulations. One often focuses on the famous and recent <a href="https://www.gazzettaufficiale.it/eli/id/2024/07/02/24G00108/SG" target="_blank" rel="noreferrer noopener">Law 90/2024</a> ‘Provisions on strengthening national cybersecurity and cybercrime’ while ignoring other, sometimes even more technical regulations.</p> <p>It is therefore a colossal mistake to minimise or neglect adherence to NIS 2 because non-conformities could extend to other regulations, aggravating the subject’s position at the inspection stage.</p> <h2 class="wp-block-heading">Initial disorientation</h2> <p>If companies have never made a sound process of adopting security measures, it is clear that the NIS 2 Directive will appear to them as an insurmountable mountain of ‘strange’ obligations and threats of sanctions. However, it must be made clear that this impression is false: NIS 2 adoption is achievable with some effort but certainly not impossible. It requires the establishment of processes, the identification of roles and responsibilities, but it is not impossible. On the contrary, it can help to better identify responsibilities in dealing with the supplier and in minimising the consequences in the event of an incident. Part of the disorientation is due to not reading the standard and the interaction between it and other industry regulations. Another common reason for disorientation is the lack of interaction between the organisation’s internal departments: establishing an effective procedure means involving several company departments and this rarely happens. The result is a gradual decay in the effectiveness of any security systems, leading to the risk of data breaches and measures.</p> <h2 class="wp-block-heading">Conclusion</h2> <p>First of all, espousing NIS 2 is possible and does not require ‘somersaults’ or complex financial transactions but the ability to adopt procedures that are then maintained over time. Secondly, it is clear that the legislation has to be read in its entirety, there are many rules that refer to the European Internal Market Regulation that require attention in order to fully understand the scope of the Directive. Ultimately, NIS 2 puts the players at a crossroads, one road leads to real adoption and the other to cosmetic adoption. Time will be the factor that determines which of the two roads will be taken: it is not difficult to espouse cybersecurity policies but it is difficult to maintain them over time. It requires discipline and ethics that people often prefer to give up for convenience and simplicity.</p> <h3 class="wp-block-heading">A different name: a question of form</h3> <p>Finally, a curiosity related to the name: the more observant will not have escaped notice that many texts speak indistinctly of NIS2 (without space) and NIS 2 (with space), but what is the correct form? The European Directive (CELEX EU 2022/2555) has the following text in its title:</p> <p class="has-text-align-center has-light-green-cyan-background-color has-background"><em>on measures towards a high common level of cybersecurity in the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 ( <strong>NIS 2</strong> Directive)</em></p> <p>As can be seen, the original text has the acronym NIS 2 (NIS-space-2), but the transposing legislative decree reads:</p> <p class="has-text-align-center has-light-green-cyan-background-color has-background"><em>DRAFT LEGISLATIVE DECREE TRANSPOSING <strong>NIS2</strong></em></p> <p>There do not appear to be any occurrences with space and therefore, having to refer to the Italian implementation, one can write NIS2 without space.</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/11/19/nis-2-general-considerations/">NIS 2: General Considerations</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>The culture of data management</title> <link>https://www.edoardolimone.com/en/2024/10/30/the-culture-of-data-management/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Wed, 30 Oct 2024 21:38:26 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Digitalizzazione]]></category> <category><![CDATA[Public Administration]]></category> <category><![CDATA[Sicurezza Informatica]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=18279</guid> <description><![CDATA[<p>The Equalize case is filling the front pages of the national press and is spreading like wildfire. On social media, it is being talked about in a very technical way, […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/10/30/the-culture-of-data-management/">The culture of data management</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>The Equalize case is filling the front pages of the national press and is spreading like wildfire. On social media, it is being talked about in a very technical way, at the risk, however, of neglecting important aspects of the issue.</p> <span id="more-18279"></span> <h2 class="wp-block-heading">The culture of data</h2> <p>It is good to clarify the problem right away: the Equalize case concerns information technology, but it is not just an IT problem. It mainly concerns the ability to manage and protect information correctly (be it digital or paper) and in the last period in Italy there have been several cases that have highlighted certain difficulties:</p> <ul class="wp-block-list"> <li>March 2024 – The case of Guardia di Finanza lieutenant Pasquale Striano for abusive access to the database of the National Anti-Mafia Directorate<a href="https://www.ilpost.it/2024/03/12/pasquale-striano-dossieraggi-guardia-di-finanza/" target="_blank" rel="noreferrer noopener">(for more details click here</a>).</li> <li>September 2024 – The case of the Banca Intesa San Paolo employee who freely accessed the accounts of several famous customers without any particular control by the bank<a href="https://www.ilpost.it/2024/10/10/inchiesta-violazione-dati-politici/" target="_blank" rel="noreferrer noopener">(for more details click here</a>).</li> <li>September 2024 – The case of Carmelo Milano, 24, who accessed the databases of the Ministry of Justice, Public Prosecutors’ Offices and others<a href="https://www.ilpost.it/2024/10/17/carmelo-miano-hacker-procure/" target="_blank" rel="noreferrer noopener">(for more details click here</a>).</li> <li>October 2024 – The Equalize case and data thefts at major Italian databases<a href="https://www.ilpost.it/2024/10/26/inchiesta-procura-milano-furto-banche-dati/" target="_blank" rel="noreferrer noopener">(for more click here</a>).</li> </ul> <p>All these <em>recent cases</em> denote a common problem: the inability to attribute a correct value to the data and, on the basis of that, to set up correct security and monitoring measures. We are talking, specifically, about adopting <em>internal</em> and <em>external</em> protection measures that are <em>proportional</em> to the sensitivity of the information contained in the database. Many readers will recognise the term <em>proportionality</em> as one of the founding features of our data protection system.</p> <h2 class="wp-block-heading">Because it is not an IT problem</h2> <p>It is certainly important to note that these events involved different databases including:</p> <ul class="wp-block-list"> <li><strong>SDI (Sistema Di Indagine)</strong>: a system accessed by law enforcement agencies to check people’s criminal records;</li> <li><strong>INPS</strong>: where information on contributions and income is kept;</li> <li><strong>Serpico</strong>: a computer system that collects and processes data from the Inland Revenue to cross-check possible cases of evasion, and which stores tax returns;</li> <li><strong>ANPR</strong>: the National Register of Resident Population;</li> <li><strong>SIVA</strong>: the Guardia di Finanza’s Currency Information System for reporting suspicious financial transactions;</li> <li><strong>SIDDA/SIDNA</strong>: in which all data relating to ‘information’ on preliminary investigations and proceedings pending or finalised at the individual district prosecutors’ offices are stored<a href="https://www.sicurezzaegiustizia.com/la-banca-dati-del-sistema-sidda-sidna/" target="_blank" rel="noreferrer noopener">(for more details click here</a>).</li> </ul> <p>Those who assume a <em>bug</em> are mistaken: this is not a technical problem; the issue is of a different nature and concerns awareness in the processes of handling this information. Awareness which, as in the Striano case, leaves much to be desired.</p> <h3 class="wp-block-heading">An example: security measures in the Striano case</h3> <p>On 24 October 2024, the hearing of Colonel Antonio Sassi, Head of the Analysis Office of the Special Currency Police Unit of the Guardia di Finanza, and of Colonel Stefano Giovanni Salvatore Rebechesu, Head of the Operations Office of the Central Italy Interregional Command of the Guardia di Finanza, was held in the Fifth Floor Chamber of Palazzo San Macuto, regarding the events surrounding the so-called <em>Striano case</em>. For the sake of completeness, here is the <a href="https://webtv.camera.it/evento/26455" target="_blank" rel="noreferrer noopener">link to the video of the hearing</a>, Scarpinato’s speech is at the beginning of <a href="https://webtv.camera.it/evento/26455?position=1" target="_blank" rel="noreferrer noopener">part 2</a> around minute 05:00.</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/10/Scarpinato-Sassi.png"><img loading="lazy" decoding="async" width="1024" height="584" src="https://www.edoardolimone.com/wp-content/uploads/2024/10/Scarpinato-Sassi-1024x584.png" alt="" class="wp-image-18278" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/10/Scarpinato-Sassi-1024x584.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/10/Scarpinato-Sassi-300x171.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/10/Scarpinato-Sassi-768x438.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/10/Scarpinato-Sassi.png 1072w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">A frame of the audition</figcaption></figure> <p>During the hearing, <a href="https://www.senato.it/composizione/senatori/elenco-alfabetico/scheda-attivita?did=00036423" target="_blank" rel="noreferrer noopener">Senator Scarpinato</a> asked Col. Sassi a series of questions, mainly concerning the internal controls operated to protect information. In particular, Senator Scarpinato asked for clarifications on the supervision of questions that Guardia di Finanza personnel could operate on themselves:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>You don’t have an alert indicating the anomaly of such an access, because obviously there is a flaw […] if you don’t consider including an alert for an anomaly of this kind, i.e. a financier making queries about himself, there is something wrong. There is something that does not work also for the future.</p> </blockquote> <p>Scarpinato’s question is very clever and is intended to show a possible <em>design error in</em> a system that undoubtedly has high security levels but apparently only for potential threats from outside and not from within. Scarpinato, again, would clarify the concept in another passage.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p><strong>Scarpinato</strong>: you are telling me, excuse me, that currently a financier can ask questions about himself and nobody notices?</p> <p><strong>Sassi</strong>: not only a financier, any member of the police force or otherwise qualified in databases.</p> <p><strong>Scarpinato</strong>: it is serious that this is still the case.</p> </blockquote> <p>Scarpinato emphasises a design, organisational, conceptual and not merely technical measure: it is serious that a financier can ask questions about himself without objective evidence.</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/10/image-4.png"><img loading="lazy" decoding="async" width="1024" height="192" src="https://www.edoardolimone.com/wp-content/uploads/2024/10/image-4-1024x192.png" alt="" class="wp-image-18276" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/10/image-4-1024x192.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-4-300x56.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-4-768x144.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-4-1536x288.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-4-2048x385.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">Open published an <a href="https://www.open.online/2024/10/30/squadra-fiore-dossieraggio-roma-agenzia-cybersicurezza-nazionale/" target="_blank" rel="noreferrer noopener">article</a> on dossier</figcaption></figure> <h2 class="wp-block-heading">Less friendship and more results</h2> <p><em>Where was ACN while these data were repeatedly consulted illegitimately?</em></p> <p>This is the substantial question that many people are asking on social media and in the press why it takes time to create dossiers on the more than 800,000 spies. In recent years, Italy has created agencies, task forces, technical tables, director’s cabins and organisational structures in such large numbers that there is sometimes an operational overlap in the observance of competences. None of this, however, is a guarantee of quality; on the contrary, sometimes it becomes the very cause of the problem. Let us take the ACN case: Senator Matteo Renzi published an <a href="https://www.ilponte.com/renzi-sul-caso-dossier-governo-incapace-basta-amichettismo/" target="_blank" rel="noreferrer noopener">interview</a> in which an important passage on appointments is reported.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>Yet the delegated authority for national security is Undersecretary Mantovano, a former magistrate and experienced politician. While at the Cybersecurity Agency there is a prefect like Bruno Frattasi. The relevant resumes are there, so what is not working?</p> <p>“It is clear that we do not have the technical capacity to handle a matter as vital as our security and privacy. Frattasi is a prefect, what are we talking about?”.</p> </blockquote> <p>The problems, according to Renzi, would be twofold: the technical inability required to coordinate an infrastructure such as the National Cybersecurity Agency, and<em>friendship</em>, a phenomenon whereby the choice of top management of companies is mainly made on a friendship basis.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>When cronyism comes to endanger the constitutional rights of citizens, an alarm must be raised.</p> </blockquote> <p>The response that Italy has been offering for years is based on appointments with seemingly perfect curricula but questionable results with a strong penalisation of citizens’ rights that sometimes even result in compression. This approach is the reason, among other things, why one age group (the younger ones) is very mistrustful about the professional future of their careers. Italy basically seems not to have understood that this operational context (that of <em>digital</em>) is much more complex and delicate than any amicable agreement one can reach. Therefore, it is <em>crucial</em> that the heads of these agencies have people with a full awareness of decision-making roles and responsibilities but, above all, with skills commensurate with those roles.</p> <p>What is presented at conferences, round tables, webinars, is very different from what happens ‘in the real world’. There is a need for advanced and proven technical knowledge, there is a need for the decision-maker to have the experience but also the right knowledge and this, after all, applies to every professional field. No one would get on an airliner if the commander was only an expert in small motorised aircraft: every context needs expertise but this country continues to see such top positions as ‘a space to place a friend’ and when the spaces run out, all one has to do is create a new technical-organisational structure.</p> <p>The results are not long in coming, and the events that fill the newspapers these days are full proof of this. Now that everyone is asking ‘<em>what has ACN done</em>‘ or<em>‘what is the point of ACN if it cannot prevent…</em>‘, we should look at how the organisation is growing, how it is developing and how it is exercising its powers.</p> <h2 class="wp-block-heading">Conclusions</h2> <p>Sometimes it seems as if Italy has stood still forty years ago: friendships, lobbying, while the world around the country goes on and runs, but runs very fast indeed. The disgust at seeing one’s own country dragged into scandals of this nature should make everyone indignant, just as the inertia, incapacity and cronyism mentioned above should make one indignant, but evidently we never have enough, we cannot learn from our mistakes. So let us make an appointment for the next agency, the next technical table, the next steering committee, perhaps even unpaid and held up with the free contribution of professionals.</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/10/30/the-culture-of-data-management/">The culture of data management</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>Data breach Postel S.p.A.: the provision of the Garante</title> <link>https://www.edoardolimone.com/en/2024/10/29/data-breach-postel-s-p-a-the-provision-of-the-garante/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Tue, 29 Oct 2024 12:25:09 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Data Breach]]></category> <category><![CDATA[Ransomware]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=18259</guid> <description><![CDATA[<p>The newsletter of the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority) publicises as news measure No. 572 of 4 July 2024 concerning the data breach suffered […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/10/29/data-breach-postel-s-p-a-the-provision-of-the-garante/">Data breach Postel S.p.A.: the provision of the Garante</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>The newsletter of the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority) publicises as news <a href="https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10063782" target="_blank" rel="noreferrer noopener">measure No. 572 of 4 July 2024</a> concerning the data breach suffered by Postel S.p.A. on 17 August 2023 and extensively documented in <a href="https://www.edoardolimone.com/2023/08/16/postel-spa-data-breach/" target="_blank" rel="noreferrer noopener">this article</a>.</p> <span id="more-18259"></span> <h2 class="wp-block-heading">A ‘tough but fair’ measure</h2> <p>The measure offers some food for thought that stems from some very harsh considerations made by the Authority on the subject of personal data security and processing. Italy, which is ever closer to the various NIS 2 deadlines, can no longer afford to have organisations that neglect or betray the constraints imposed by the legislation, and the Garante’s measure seems to want to emphasise this.</p> <h3 class="wp-block-heading">Impact, fine and problems</h3> <p>With an impact of about 25,000 interesting, the Postel S.p.A. data breach caused a stir on social media because of a few things that seemed to be unclear from the outset, including the quality of the communication published by the company on which DPO Christian Bernieri <a href="https://twitter.com/prevenzione/status/1692492380513898824" target="_blank" rel="noreferrer noopener">had made himself very clear.</a></p> <figure class="wp-block-image aligncenter size-large is-resized"><a href="https://twitter.com/prevenzione/status/1692492380513898824" target="_blank" rel="noreferrer noopener"><img loading="lazy" decoding="async" width="1024" height="333" src="https://www.edoardolimone.com/wp-content/uploads/2024/10/image-2-1024x333.png" alt="" class="wp-image-18258" style="width:434px;height:auto" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/10/image-2-1024x333.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-2-300x97.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-2-768x250.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-2.png 1182w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> <p>Months later, the Data Protection Authority, in its inspection activities, found the following:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>In particular, it has been ascertained that the Company, despite the significance of the data breach suffered, has<br>submitted an incomplete breach notification to the Authority; it was also established that the<br>Company did not conduct itself in compliance with data protection regulations even<br>with regard to the security measures that it should have adopted in the terms to be<br>indicated.</p> </blockquote> <p>The measure is very instructive because in the first part (before ‘chapter 3’) we learn some of the ‘defensive’ reasons of the company Postel S.p.A., among which is the one aimed at justifying the non-installation of a patch that was fundamental and had been widely reported by both Microsoft and the international CSIRTs (including by ACN itself). Postel, in this regard, reports the following:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>the failure to patch the vulnerabilities in question did not result from the absence of corporate ‘patch and vulnerability management’ procedures and protocols, or from the inadequacy of such procedures and protocols.” […] Unfortunately, however, due to a human error in the configuration of the scanning activities, the Exchange server targeted by the attack was excluded from the scan: this accidentally resulted in the failure to patch the aforementioned vulnerabilities, with regard to that system only.</p> </blockquote> <p>In essence, Postel S.p.A. makes two points:</p> <ol class="wp-block-list"> <li>That the damage did not result from an absence of safety procedures and protocols, nor from their inadequacy.</li> <li>That the damage was created by a human error in the configuration of the scanning activities, which would have excluded the Exchange server from the <em>patching</em> activity.</li> </ol> <p>Postel S.p.A. is an ISO 27001 certified company, a ‘parent’ standard in the ISO world. In responding to this claim, the inspectors of the Garante reported the following:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>It notes that the aforementioned vulnerabilities had already been disclosed, in September 2022, by the Microsoft Security Response Center, which had also published the appropriate mitigation actions; furthermore, in November 2022, Microsoft had made available the necessary updates to be made to the Exchange platform to overcome precisely the vulnerabilities indicated (moreover, considering that they had been assessed as highly critical). By the way, also in Italy, several months before the event, the existence of the aforementioned vulnerability had been duly reported by the National Cybersecurity Agency</p> </blockquote> <p>Thus, reconstructing the timeline:</p> <ol class="wp-block-list"> <li>Microsoft discovered and reported the vulnerability in September 2022.</li> <li>Microsoft makes a solution available in November 2022.</li> <li>Postel ignored the vulnerability up to the time of the August 2023 data breach, also ignoring the report sent by ACN.</li> </ol> <p>There is therefore a continuing problem despite official reports from the manufacturer and also from the CSIRTs. A <em>human error</em> prevented the correct configuration but no control cycle detected the problem and this shifts the argument from <em>technical</em> to <em>organisational</em>.</p> <h3 class="wp-block-heading">Not only technique</h3> <p>There is a need to pay attention not only to<em>‘technical</em>‘ controls but also (and especially) to those of an <em>organisational</em> nature. Those who are really familiar with standards know that there is often talk of <em>procedures</em>, <em>policies</em>, <em>strategies</em>, and thus a formalisation of organisational aspects that are often overlooked. We learn a very useful piece of information in this regard from the Garante’s provision.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>The assessment carried out by the Authority, therefore, was not limited to taking into consideration the occurrence, as such, of the data breach […] but, starting from the data breach under investigation, <strong>it proceeded to verify</strong> whether the Company had adopted <strong>all those technical and organisational measures</strong> that could have prevented the personal data breach.</p> </blockquote> <p>Organisational measures <strong>are subject to inspection and evaluation</strong>! There has always been a false notion that control takes place outside this context, and this is clearly an erroneous conclusion. The Garante della Protezione dei Dati Personali therefore sheds light on an important aspect that allows him to enjoin Postel S.p.A.<strong><em>“to set up a formalised procedure for the management of vulnerabilities </em></strong><em>, which provides, in particular, for the planning of the control of all the organisation’s IT assets in order to detect the possible presence of known or potential vulnerabilities as well as the identification of the relevant correction and mitigation procedures</em>“.</p> <h3 class="wp-block-heading"><strong>ISO 27001</strong> certification</h3> <p>As stated by Postel S.p.A. itself, the company is ISO 27001 certified, an ambitious and comprehensive certification, which if fully complied with makes the organisation very well structured and protected against incidents. ISO 27001 includes several essential security controls including:</p> <ul class="wp-block-list"> <li><strong>Organisational control 5.24</strong>: The organisation shall plan and prepare for information security incident management by defining, establishing and communicating information security incident management processes, roles and responsibilities.</li> <li><strong>Organisational control 5.25</strong>: The organisation must evaluate information security incidents and decide whether they should be classified as information security incidents.</li> <li><strong>Technology Control 8.08: </strong>Information on the technical vulnerabilities of the information systems in use must be obtained, the organisation’s exposure to these vulnerabilities must be assessed, and appropriate measures must be taken. </li> </ul> <p>To claim to be ISO 27001 certified is therefore to declare that you know, understand and have implemented these security controls, many of which relate to strategic, organisational and monitoring activities.</p> <h2 class="wp-block-heading">Conclusion</h2> <p>With a fine of 900,000 euros and some very harsh penalties, it is to be hoped that Postel S.p.A. can build on what happened, also and above all with respect to that ISO 27001 certification, which includes a particularly interesting security check, the 5.27:</p> <p class="has-text-align-center"><em>The knowledge gained from information security incidents is used to strengthen and improve information security controls.</em></p> <p></p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/10/29/data-breach-postel-s-p-a-the-provision-of-the-garante/">Data breach Postel S.p.A.: the provision of the Garante</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>NIS 2: a possible case of compulsive standardisation</title> <link>https://www.edoardolimone.com/en/2024/10/06/nis-2-a-possible-case-of-compulsive-standardisation/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Sun, 06 Oct 2024 19:23:01 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[NIS 2]]></category> <category><![CDATA[Public Administration]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=18173</guid> <description><![CDATA[<p>On 17 October, Italy will transpose the NIS 2 Directive(CELEX EU 2022/2555), and the expectation surrounding this directive raises a doubt: will the directive have any real usefulness or have […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/10/06/nis-2-a-possible-case-of-compulsive-standardisation/">NIS 2: a possible case of compulsive standardisation</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>On 17 October, Italy will transpose the NIS 2 Directive<a href="https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=CELEX%3A32022L2555" target="_blank" rel="noreferrer noopener">(CELEX EU 2022/2555</a>), and the expectation surrounding this directive raises a doubt: will the directive have any real usefulness or have we entered (for some time now) into a spiral of <em>compulsive standardisation</em>?</p> <span id="more-18173"></span> <h2 class="wp-block-heading">The issue around NIS 2</h2> <p>Europe needs to secure the technological infrastructures that guarantee millions of IT transactions on a daily basis and that suffer from many problems, including being mostly composed of systems created and distributed by non-European countries. This clearly becomes a problem when wars start breaking out and geopolitical instability begins to spread. Right now, Europe is witnessing the conflict between Russia and Ukraine that broke out in 2022 and the conflict involving the Middle East (Israel, Lebanon, Iran,…). In short, Europe is in a very particular geopolitical situation and it is in this situation that NIS 2 will be implemented by Italy on 17 October. Many wonder whether there was really a need for NIS 2: the first NIS directive was from 2016 and was repealed precisely to make way for its evolution because, the text reads,<em>it ‘revealed inherent shortcomings that prevented it from effectively addressing current and emerging cyber security challenges</em>‘. It is therefore expected that NIS 2 will project Europe into a modern, new cybersecurity framework, adapted to the geopolitical scenario and establishing strict criteria to be observed and enforced on a regular basis but it is known that expectations are often betrayed.</p> <h2 class="wp-block-heading">Utility or compulsive standardisation?</h2> <p>Within NIS 2 there is one article that, more than the others, has attracted the attention of readers: it is Article 21, which contains the main protection measures to be referred to by those affected by the Directive. It is precisely Article 21, however, that represents the first paradox of the Directive; for those accustomed to considering cybersecurity a <em>normal</em> requirement to be referred to, NIS 2 does not introduce any really interesting novelty but re-proposes decades-old concepts and arguments that are simply not observed. Let us give a few examples to make ourselves understood.</p> <p>Article 21 (d) speaks of<em><strong>‘supply chain security</strong>, including security aspects concerning the relationship between each entity and its direct suppliers or service providers</em>‘, what is commonly referred to as the <em>supplier network</em> or by the foreign name <em>supply chain.</em> NIS 2 establishes an obligation to check the security credentials of suppliers, an action that is already routinely done by companies accustomed to taking the context of IT (and not only IT) <em>security</em> seriously. The checking of suppliers is necessary to avoid problems and interruptions in the provision of services, with consequent repercussions on the financial and reputational aspects of the company. This control is performed by checking financial soundness, partnerships, public balance sheets, searching the dark web for information that may involve the supplier. These are normal activities in business management and many companies are already in the habit of checking the reputation and credibility of their suppliers.</p> <p>Article 21 point (j) speaks of the<em>‘use of <strong>multi-factor authentication</strong> solutions or continuous authentication</em>‘ mechanisms that should already be routinely used by those who have a <em>normal</em> view of IT security: recent measures of the Data Protection Authority have, in fact, noted the presence or absence of such a security measure. The measure that concerned ASL Napoli 3 Sud (No. <a href="https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9941232" target="_blank" rel="noreferrer noopener">9941232</a>), for example, states the following:<em>‘as of the date of the final notification of the privacy incident, the entity has effectively adopted multi-factor authentication for VPN connections</em>‘. Multi-factor authentication has been present for years on all major operating standards in the world and is simply ignored for reasons of indolence and negligence.</p> <p>Article 21 (g) talks about<em><strong>‘basic</strong> cyber<strong>hygiene practices</strong> and cyber security training</em>‘, which are widely introduced and used in many companies that, for example, offer technical IT support or handle customer data and devices and therefore need to be more careful. In many companies, internal staff are trained on the latest threats through courses, newsletters, etc.. However, it is well known that just as often, training becomes just one <em>item to be crossed off</em> the list of things to do in order to be <em>compliant</em>; an example? The GDPR in Article 29<em>‘The controller, or any person acting under his authority or under the authority of the controller, who has access to personal data <strong>may not process such data unless instructed</strong> to do so by the controller, except where Union or Member State law so requires</em>‘. but often you find staff who are not really qualified despite the many training courses they have undergone.</p> <p>One could go on with the other aspects of the Directive and some of them will also be reported below, but if one wanted to make a criticism of the text of the Directive, one could say that there is no real innovation with regard to these measures and this raises the question as to how innovative NIS 2 really is and how much we need it. Because, if on the one hand it is true that we continue to have cases of data breaches also coming from the chain of suppliers (like the case of June 2024 with the <a href="https://www.edoardolimone.com/2024/06/07/data-breach-azienda-socio-sanitaria-territoriale-rhodense/" target="_blank" rel="noreferrer noopener">ASST Rhodense</a>), it is equally true that it will not be the umpteenth Directive that will solve the problem. We have general regulations, specific regulations, European regulations, national regulations, but we probably do not have the right number of controls and sanctions. Consider what happened in May 2022, when ACN presented the <a href="https://www.edoardolimone.com/2022/05/27/la-strategia-italiana-per-la-cybersecurity/" target="_blank" rel="noreferrer noopener">Italian Cybersecurity Strategy</a>. On that occasion:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>Someone among the journalists asked whether sanctions are ready for those who do not comply with the new strategy, and this was confirmed by both Gabrielli and Baldoni, specifying that these sanctions will be even ‘heavier’ than the previous ones. However, it has been made clear that <strong>the attitude will not be punitive and intimidating, but supportive and accompanying</strong> to a transformation of IT security for those entities that are not ready. Objectively, this is an attitude that can only be partially shared: since 31/12/2017 (the date when AgID’s Circular 2/2017 came into force) very few public entities have taken steps to adopt them. More than four years have passed, a sufficient period to be understanding and ‘accompany’ the slowest P.A. in the change. It must be considered, among other things, that the most virtuous ones have not seen any benefit from their timely reaction but have seen how the less virtuous ones have been ignored in their static nature.</p> </blockquote> <p>We continue to regulate without carrying out adequate checks to recover situations of blatant negligence as happened in the last data breaches in which some public structures continue to manage access credentials to systems and services on ‘txt’ files. We continue to regulate by introducing constraints, measures, and obligations, but the feeling is that there are not the necessary checks to enforce these constraints, and sometimes the doubt arises that it may be <em>regulatory compulsion</em>.</p> <h2 class="wp-block-heading">Is it regulatory compulsion?</h2> <p>It is a regulatory compulsion because for more than ten years, IT has been espousing standards that provide for computer hygiene rules, that provide for the use of cryptography, that provide for high security standards such as multi-factor authentication, that provide for backup policies, disaster recovery and operational continuity. Standards that provide for access control management, vendor auditing, personal data protection through risk analysis, impact assessments, vulnerability assessments and penetration tests, but then, if standards already exist that provide for all this, what need was there to produce an NIS 2 as well? Wouldn’t it have sufficed to enforce what already exists? And again, if one is already unable to conduct sufficient checks for compliance with the existing legislation, how will one check the newly added one?</p> <h3 class="wp-block-heading">Some examples</h3> <p>By legal obligation, public administrations <strong><span style="text-decoration: underline">must</span></strong> espouse Circular 2/2017 containing the ‘Minimum ICT Security Measures for Public Administration’. These measures are a reworking of the Critical Security Controls in version 6 (they have been analysed extensively on this site) and that version is stuck in 2016. In August 2024, version 8.1 was introduced: would it not have been more appropriate to update the Minimum Security Measures from version 6 to the new version 8.1? Perhaps someone may think that these standards lack the <em>freshness</em> of NIS 2, that they are lacking in something, and then it is useful to give some examples.</p> <p><strong>Let us take as a first example the use of encryption</strong>, a much-discussed topic in NIS 2 but already widely expected as an <strong>obligation</strong> since 2016 for P.A. Rule 10.3.1 of Circular 2/2017 states the need to<em>“Ensure the confidentiality of the information contained in the backup copies by adequate physical protection of the media or by encryption. Encryption carried out prior to transmission allows the backup to be remote even in the cloud</em>‘. If we consider Circular 2/2017 too narrow an example, we can rely on one of the world’s most important standards. ISO 27001, for more than a decade includes rule 8.24:<em>“Standards for the effective use of cryptography, including cryptographic key management, shall be defined and implemented</em>.” For example, in ISO 27001 of 2013 (second edition) the controls were equally present.</p> <figure class="wp-block-image aligncenter size-large is-resized"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/10/image.png"><img loading="lazy" decoding="async" width="1024" height="330" src="https://www.edoardolimone.com/wp-content/uploads/2024/10/image-1024x330.png" alt="" class="wp-image-18171" style="width:487px;height:auto" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/10/image-1024x330.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-300x97.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-768x248.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image.png 1352w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">ISO 27001/2013-Controls related to the use of encryption</figcaption></figure> <p><strong>Let’s take multi-factor authentication as a second example</strong>, we know that NIS 2 requires the use of such technology but even this adoption is not new: just think of rule 5.6.1 of Circular 2/2017 which requires<em><strong>“Use multi-factor authentication systems for all administrative access</strong>, including domain administration access. Multi-factor authentication may use different technologies, such as smart cards, digital certificates, one time passwords (OTP), tokens, biometrics and other similar systems.</em>” In this sense, ISO 27001 makes a more generic but nonetheless important contribution; rule 8.05 concerning secure authentication states that<em>‘Secure authentication technologies and procedures shall be implemented on the basis of information access restrictions and the specific thematic access control policy</em>‘. This rule was also provided for in the 2013 version of the same standard (control A.9.4.2) albeit in a more generic but equally significant form.</p> <figure class="wp-block-image aligncenter size-large is-resized"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/10/image-1.png"><img loading="lazy" decoding="async" width="1024" height="264" src="https://www.edoardolimone.com/wp-content/uploads/2024/10/image-1-1024x264.png" alt="" class="wp-image-18170" style="width:601px;height:auto" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/10/image-1-1024x264.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-1-300x77.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-1-768x198.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/10/image-1.png 1344w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">ISO 27001/2013-Controls related to the use of access security</figcaption></figure> <p>Not to mention that in the banking sector, for example, access to an electronic payment requires two-factor authentication as of 31 December 2020, as stipulated by the Payment Systems Directive <a href="https://eur-lex.europa.eu/legal-content/IT/TXT/PDF/?uri=CELEX:32015L2366" target="_blank" rel="noreferrer noopener">(PSD2, EU Directive 2015/2366</a>) through multiple verifications:</p> <ul class="wp-block-list"> <li>“Something you know’, something only the customer knows (password, PIN, etc.)</li> <li>‘Something you have’, something only the customer has (smartphone, bank token, etc.)</li> <li>‘Something you are’, something that uniquely identifies the customer (facial recognition, fingerprint, etc.).</li> </ul> <p><strong>Take a third example: the use of cryptography</strong>: NIS 2 states the importance of adopting<em><strong>“policies and procedures relating to the use of cryptography</strong> and, where appropriate, encryption</em>“, is this new? Again, one could cite Circular 2/2017, which for over five years has provided Rule 8.24:<em>“Standards for the effective use of cryptography, including cryptographic key management, shall be defined and implemented</em>.”</p> <p><strong>Take a fourth example regarding supply chain security</strong>. NIS 2 was considered by many to be groundbreaking for addressing this issue, ignoring the fact that ISO 27001 has for years included control 5.19:<em>“Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of the supplier’s products or services</em>.”</p> <h2 class="wp-block-heading">Does it make sense to regulate in this way?</h2> <p>Is this the <em>freshness</em>, the <em>novelty</em> that is needed and offered to us by NIS 2? It is worth asking ourselves this question, especially when we have a regulatory framework on which various types of regulations already insist, for example the text of the GDPR for the personal data processing part, Circular 2/2017 for public administration. In short, NIS 2, which is a European directive, in many ways overlaps with what is already in place, and it is therefore reasonable to assume that there is a surplus of regulations with numerous overlaps.</p> <p>It is good to repeat a concept: the problem is not just the ‘regulatory production’ but the lack of compliance. Those involved in cybersecurity are well aware of the poor measures that have followed the GDPR and the state of many public and private technological infrastructures, which are far from being compliant with any of the aforementioned standards. The ‘bogeyman’ of penalties, which fuelled intentions to come into compliance back in 2016, is now a memory that hardly anyone believes in anymore. Eight years have passed and we have data centres losing data without any control, difficulties in restoring, inability to administer data, we often read public communications from entities claiming not to know what data was lost as a result of a data breach. None of this is solved by adding one regulation, yet another, to the landscape of existing ones.</p> <h2 class="wp-block-heading">Conclusions</h2> <p>NIS 2 is an important text but does not add much to the existing scenario, especially for those who have invested in IT security seriously and competently over the years. Companies that have taken standards such as ISO 27001 seriously have long since reached levels that NIS 2 barely scratches the surface. The risk is that this Directive runs the risk of becoming yet another ‘regulatory product’ of little use to those who have for years abandoned the state of management of their information systems, neglecting maintenance and modernisation mechanisms that should not be optional, but compulsory and fundamental above all for the proper protection of data.</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/10/06/nis-2-a-possible-case-of-compulsive-standardisation/">NIS 2: a possible case of compulsive standardisation</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>The usefulness of technology</title> <link>https://www.edoardolimone.com/en/2024/09/15/the-usefulness-of-technology/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Sun, 15 Sep 2024 20:34:42 +0000</pubDate> <category><![CDATA[Artificial Intelligence]]></category> <category><![CDATA[Digitalizzazione]]></category> <category><![CDATA[Intelligenza Artificiale]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=18102</guid> <description><![CDATA[<p>For a few months now, we have been beginning to read articles that seem to re-propose the importance of certain technologies that have been much talked about until now. Among […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/09/15/the-usefulness-of-technology/">The usefulness of technology</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>For a few months now, we have been beginning to read articles that seem to re-propose the importance of certain technologies that have been much talked about until now. Among these, of course, is artificial intelligence…</p> <span id="more-18102"></span> <h2 class="wp-block-heading">What is happening</h2> <p>Enthusiasm in technology is something wonderful but, on balance, it does not contribute to the consolidation of technological solutions. Enthusiasm allows us to get to know them in many ways, to see their merits and flaws, but it has nothing to do with actual use, real utility and actual adoption.</p> <p>After an initial great moment of enthusiasm related to artificial intelligence, we are now beginning to speak more and more frequently of a ‘bubble’, and the same applies to other technologies that, in theory, should have been established as widespread. It is worth mentioning an <a href="https://www.wired.it/article/nvidia-openai-intelligenza-artificiale-bolla/" target="_blank" rel="noreferrer noopener">excellent article published</a> by Wired Italia by Andrea Daniele Signorelli and entitled<em>‘Nvidia, OpenAI and the artificial intelligence bubble</em>‘.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>What if this bet turns out to be a loser? In a nutshell, this is the fear that is beginning to circulate: that Nvidia, Meta, Microsoft, OpenAI (which we will come back to later) and all the others in the industry have staked immense amounts of money on a future that may never happen. “<em>The huge spending in the field of artificial intelligence has not been justified so far, given the limited applications of this technology</em>,” said JPMorgan analysts.</p> </blockquote> <p>And indeed, the same perplexities had been raised on <a href="https://www.edoardolimone.com/2024/06/24/tecnologie-e-consumo-energetico-2/" target="_blank" rel="noreferrer noopener">this blog</a> when, examining the energy demands of A.I., one wondered how widespread use of such technology was necessary in the face of such consumption. The same Wired article quoted above, referring to the <a href="https://www.elliottmgmt.com/" target="_blank" rel="noreferrer noopener">Elliot Management Corporation</a> investment fund’s phrases on artificial intelligence states:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>They will never be cost-effective, never work as expected, always require too much energy or prove unreliable</p> </blockquote> <p>As of 30 June 2024, the investment fund Elliot Management Corporation managed approximately USD 69.7 billion in assets and is considered a very reliable entity in financial and market analysis.</p> <h2 class="wp-block-heading">The bubble</h2> <p>In finance, there is a theorem called<em>‘expected utility theory</em>‘, which Wikipedia reports as follows:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>Expected utility theory is based on the assumption that an agent’s utility under conditions of uncertainty can be calculated as a weighted average of the utilities in each possible state, using as weights the probabilities of the occurrence of the individual states as estimated by the agent.</p> </blockquote> <p>The relevant aspect of this theorem is that, among other uses, it is also used to understand <em>where to</em> invest, which, for all intents and purposes, is useful in understanding the <em>bubble</em> phenomenon. The consolidation of a technology is not given by its spectacularity or its apparent media popularity, but by its ability to be applicable in multiple contexts, in a regime of sustainability. To propose a technology that is powerful but drains the energy resources of an entire city is to present something that is unsustainable and therefore unusable if not downright harmful.</p> <h3 class="wp-block-heading">Blockchain and Bitcoin</h3> <p>There has been a battle going on for years over the usefulness of blockchain and the soundness of bitcoins. So far, the market has established one truth: <em>the blockchain has established itself thanks mainly to bitcoins, which have reached a considerable economic value</em>. This is undeniable and to do so would be to reject a quantitative fact: that 1 bitcoin is currently worth EUR 54,230.22. (15/09/2024 11:50) A frightening exchange rate. Yet for months people have been going on about the <em>bubble</em> ‘s <em>imminent and imminent demise</em>, arguments to which cryptocurrency investors have become accustomed. Articles such as Milano Finanza<em><a href="https://www.milanofinanza.it/news/bitcoin-per-la-bce-e-solo-una-bolla-speculativa-e-l-etf-non-cambia-la-sostanza-la-crypto-non-e-un-metodo-202402221555088233" target="_blank" rel="noreferrer noopener">‘</a></em>s<em><a href="https://www.milanofinanza.it/news/bitcoin-per-la-bce-e-solo-una-bolla-speculativa-e-l-etf-non-cambia-la-sostanza-la-crypto-non-e-un-metodo-202402221555088233" target="_blank" rel="noreferrer noopener">‘Bitcoin, for the ECB it is just a speculative bubble. The Etf does not change the substance: crypto is not suitable as an investment method</a></em>‘ or like that of Corriere delle Comunicazioni<a href="https://www.corrierecomunicazioni.it/digital-economy/bitcoin-la-bce-solo-una-bolla-speculativa-castello-di-carta-crollera/" target="_blank" rel="noreferrer noopener">‘Bitcoin, the ECB: “Only a speculative bubble, paper castle will collapse</a>“‘.</p> <p>And in this war between opinions and data, which is legitimate and interesting, a doubt remains: in which other areas has blockchain established itself? It should have asserted itself widely in every sector of people’s economic life: financial transactions, commercial relations, but to date there are very few projects, although in some cases well implemented (there are very successful cases of smart contracts). A few high schools have tried to adopt blockchain from some vendors to mark maturity degrees but basically the marriage with this technology has been turbulent to say the least. The reason is simple: <em>it consumes too much energy</em> (the case of proof-of-work) and that is why alternative systems such as proof-of-stake have been designed and implemented ( <a href="https://www.youtube.com/watch?v=rD5E-wsaVVY" target="_blank" rel="noreferrer noopener">I recommend this sample video</a> for further study) but with big problems yet to be solved. The road is long and far from being as trivial as many <em>techno-enthusiasts</em> had originally assumed.</p> <h3 class="wp-block-heading">Artificial Intelligence</h3> <p><a href="https://www.agendadigitale.eu/" target="_blank" rel="noreferrer noopener">Agenda Digitale</a>, the renowned electronic magazine on technology and beyond, published an <a href="https://www.agendadigitale.eu/mercati-digitali/ai-generativa-sprint-degli-investimenti-ma-di-doman-non-ve-certezza/" target="_blank" rel="noreferrer noopener">interesting article</a> in June 2024 by Prof. Umberto Bertelè entitled<em>‘AI, the first big doubts about the super boom</em>‘. The abstract of the article contains one of the most well-known problems of this fast-growing phenomenon:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>The stock market continues to focus on generative AI, with big tech companies increasing their investments. However, the international business press expresses scepticism about the returns for investors. US antitrust authorities investigate major tech companies. Meanwhile, new AI applications emerge, pioneered by a growing number of start-ups.</p> <p>Artificial intelligence today is having a very dystopian growth: the masses use it to create real life artefacts (photos, videos, audio) while very few actually handle ‘big data’ for research purposes. Is therefore all the energy consumption generated by such processing justifiable or would it be more appropriate to restrict it to really necessary cases?</p> </blockquote> <h3 class="wp-block-heading">Electric cars</h3> <p>Another glaring example of a potential bubble is the one related to electric cars that former Ferrari CEO Sergio Marchionne spoke about many years ago. It was 2017 when Marchionne spoke, in a non-enthusiastic but pragmatic way, about the technological evolution linked to electric cars. He was treated to many articles, including a very effective one in <a href="https://www.lastampa.it/economia/2017/10/03/news/parla-marchionne-l-auto-elettrica-e-un-arma-a-doppio-taglio-1.34395657/" target="_blank" rel="noreferrer noopener">La Stampa by Francesco Spini.</a></p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>The limitations of electric cars are not just about cost, autonomy, recharging times or refuelling. There is a much more important element that is almost never considered: their environmental impact throughout their life cycle, especially with regard to the source from which electricity is derived. Energy is produced from fossil fuels that are, at best, equivalent to a petrol car.</p> </blockquote> <p>In recent months, interest in hydrogen-powered cars has been growing, and in other countries (e.g. France) they are already receiving substantial investment; one example is undoubtedly the one described <a href="https://www.quattroruote.it/news/industria-finanza/2023/12/05/stellantis_symphonhy_prima_gigafactory_produzione_fuel_cell_idrogeno.html" target="_blank" rel="noreferrer noopener">in the article</a><em>‘Opens SymphonHy, the first gigafactory for the production of hydrogen fuel cells</em>‘ published in Quattroruote magazine by Claudio Todeschini.</p> <h2 class="wp-block-heading">A phenomenon announced (or not?)</h2> <p>The technological imposition caused by communication and marketing departments does not produce progress but risks creating bubbles that are difficult to maintain. Technology needs realistic application scenarios and, above all, time to find sustainability, which in many cases is underestimated. Should one infer that time is against profits? This is a not too obvious question, unfortunately. Profit, which depends on the quantity<em>(q</em>) sold, is the difference between the total revenue<em>(RT</em>) and the total cost<em>(CT</em>) of <sup data-fn="e82a1d33-bf6d-4c2c-b594-15e3478c29bf" class="fn"><a id="e82a1d33-bf6d-4c2c-b594-15e3478c29bf-link" href="#e82a1d33-bf6d-4c2c-b594-15e3478c29bf">production1</a></sup>:</p> <p class="has-text-align-center"><em>P (q)= RT(q) – CT(q).</em></p> <p>The time factor is not clearly expressed in the formula, but it is implicitly included in the profit formula. The total cost is clearly inclusive of the <em>time</em> factor. Time is a very important element of consolidation because, although it can cause a slowdown in the volume of profits in the short term, it can also lead to a longer life of the proposed solution.</p> <p>It is therefore necessary to make a careful assessment of technologies when they come onto the market and patiently evaluate their actual sustainability in relation to environmental, economic and utility phenomena. Yet not everyone agrees on the existence of this<em>‘bubble</em>‘, Forbes magazine in June 2024 had released an <a href="https://forbes.it/2024/06/18/siamo-di-fronte-a-una-bolla-dei-titoli-tech-gli-indicatori-dicono-di-no/" target="_blank" rel="noreferrer noopener">article</a> with the unequivocal title<em>‘Are we facing a tech stock bubble? The indicators say no</em>‘</p> <figure class="wp-block-image alignwide size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/09/image.png"><img loading="lazy" decoding="async" width="1024" height="387" src="https://www.edoardolimone.com/wp-content/uploads/2024/09/image-1024x387.png" alt="" class="wp-image-18101" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/09/image-1024x387.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/09/image-300x113.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/09/image-768x290.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/09/image-1536x581.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/09/image-2048x774.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">The Forbes headline</figcaption></figure> <p>The article inside is particularly explicit in this regard, explaining that corporate stocks continue to be optimal and that this is sufficient as a ‘litmus test’ of the health of tech stocks.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>This market trend has stimulated debate among investors and analysts: are we in the presence of a new technology bubble? The answer is that, at the moment, there are no signs of it.[…] Moreover, one can observe today that the growth of technology stock prices is generally accompanied by a corresponding, if not even stronger, increase in profits.[…] Similarly, one does not see an increase in the propensity to engage in mergers and acquisitions among companies. The latter factor historically reaches high levels during bubble periods: to such an extent that, at the time of the Lehman Brothers crisis, M&A volume had reached almost double the average level, whereas today volumes are around or slightly above average. Finally, the level of US household debt, which in relation to gross domestic product remains at very low levels, is not a cause for concern either.</p> </blockquote> <h2 class="wp-block-heading">Conclusions</h2> <p>So is there a <em>certain future</em> for technologies such as AI, such as the blockchain, such as cryptocurrencies? The answer is <em>yes but…</em> and that future only materialises when such technologies are:</p> <ul class="wp-block-list"> <li>Economically sustainable.</li> <li>Non-energy-consuming.</li> <li>Easily accessible at least by the community they address.</li> <li>Bringing technological and/or social development.</li> </ul> <p>These characteristics mark the basic elements for a healthy and manageable development of technologies. According to the energy research company <em><a href="https://thundersaidenergy.com/" target="_blank" rel="noreferrer noopener">Thunder said Energy</a></em> in 2030 the demand for energy to power AI could, with high probability, reach 310 TWH (Tera Watts per Hour).</p> <figure class="wp-block-image aligncenter size-full"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/09/image-3.png"><img loading="lazy" decoding="async" width="969" height="460" src="https://www.edoardolimone.com/wp-content/uploads/2024/09/image-3.png" alt="" class="wp-image-18100" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/09/image-3.png 969w, https://www.edoardolimone.com/wp-content/uploads/2024/09/image-3-300x142.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/09/image-3-768x365.png 768w" sizes="(max-width: 969px) 100vw, 969px" /></a></figure> <p>Such consumption normally belongs to countries like Norway, Australia or the Netherlands and, instead, should be supported by a single company. The words spoken by Marchionne in 2017 therefore come back to the forefront: those that argue that before any technological innovation, the real sustainability should be carefully assessed to avoid it being a <em>meteor</em> or worsening global living conditions. The technologies that will remain in the service of mankind will therefore only be those that are useful and sustainable, those whose use will not cause a significant impairment of the natural and financial life cycle of human beings.</p> <ol class="wp-block-footnotes"><li id="e82a1d33-bf6d-4c2c-b594-15e3478c29bf">For further clarification, please consult the material published by the Università degli Studi Mediterranea di Reggio Calabria at <a href="https://www.unirc.it/documentazione/materiale_didattico/1465_2013_352_18818.ppt#:~:text=Il%20profitto%2C%20che%20dipende%20dalla,)%20%EF%80%AD%20CT(q).&text=Il%20profitto%20%C3%A8%20massimo%20dove,ricavo%20totale%20e%20costo%20totale.&text=%EF%81%B0%20(q)%3D%20RT(q,)%20%EF%80%AD%20CT(q).">this link</a> <a href="#e82a1d33-bf6d-4c2c-b594-15e3478c29bf-link" aria-label="Jump to footnote reference 1"><img src="https://s.w.org/images/core/emoji/15.0.3/72x72/21a9.png" alt="↩" class="wp-smiley" style="height: 1em; max-height: 1em;" />︎</a></li></ol><p>L'articolo <a href="https://www.edoardolimone.com/en/2024/09/15/the-usefulness-of-technology/">The usefulness of technology</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>Cyber attacks in countries with low economic development</title> <link>https://www.edoardolimone.com/en/2024/09/01/cyber-attacks-in-countries-with-low-economic-development/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Sun, 01 Sep 2024 08:39:07 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Data Breach]]></category> <category><![CDATA[Ransomware]]></category> <category><![CDATA[Sicurezza Informatica]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=18000</guid> <description><![CDATA[<p>The idea that hackers only target the most industrially powerful countries is wrong; certainly the United States, China, Europe, are constantly at the centre of cyber attacks, but there are […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/09/01/cyber-attacks-in-countries-with-low-economic-development/">Cyber attacks in countries with low economic development</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>The idea that hackers only target the most industrially powerful countries is wrong; certainly the United States, China, Europe, are constantly at the centre of cyber attacks, but there are offensive scenarios that we hardly ever hear about and that are in full development.</p> <span id="more-18000"></span> <h2 class="wp-block-heading">Hacking a country’s economy</h2> <p>Cyber attacks must be understood as a phenomenon capable of damaging the economy of one or more companies, but also capable of disrupting the economic-political performance of a nation. One does not have to go too far to remember events such as the attack on the <a href="http://localhost:8888/2021/05/11/darkside-attacca-la-colonial-pipeline/" target="_blank" rel="noreferrer noopener">Colonial Pipeline</a> that disrupted the American economy:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>The cost of oil rose by 4% on the day of the attack, and by 1.5% the following day (Monday 10 May 2021)</p> </blockquote> <p>Cyber attacks have multiple purposes, and paradoxically, damaging businesses is not the most relevant, on the contrary, weakening the perception of a country’s economic and political security is one of the main ones. In the Obama-Trump election campaign, hacker attacks from China aimed to destabilise confidence in the Obama presidency, showing a weak America unable to defend itself. The term <em>economy of a country</em> means not only its profit capacity, its GDP, but also its politics, its government and its productive power, its reliability in the eyes of other nations. They are all intertwined: attacking one attacks the others. The question therefore arises as to whether so-called <em>developing</em> countries suffer hacker attacks, how often and for what purpose these attacks take place, but before going any further, it is good to clarify the concept of<em>‘developing</em>‘<em>.</em> The United Nations uses the acronym LDC – Least Developed Countries – and it is used to identify those nations where industrialisation is much less present than in others, but not only. The main characterising factors are: low income, scarcity of human resources (which includes factors such as nutrition, health, education and adult literacy), and economic vulnerability.</p> <h2 class="wp-block-heading">Cyber attacks in Africa</h2> <p>Africa belongs to the LDC countries, with 45 states including: Angola, Benin, Burkina Faso, Burundi, Chad, Comoros, Democratic Republic of Congo, Djibouti, Eritrea, Ethiopia, Gambia, Guinea, Guinea-Bissau, Lesotho, Liberia, Madagascar, Malawi, Mali, Mauritania, Mozambique, Niger, Rwanda, São Tomé and Príncipe, Senegal, Sierra Leone, Somalia, South Sudan, Sudan, Tanzania, Togo, Uganda, Zambia.</p> <p>Despite the fact that in the West (especially in Italy) there is little public debate about Africa’s technological-industrial development, the country is receiving many more attacks than in 2023: an interesting article in the Nigrizia portal entitled<a href="attacchi%20informatici%20in%20aumento" target="_blank" rel="noreferrer noopener">‘Africa: cyber attacks on the rise</a>‘ cites data from Checkpoint, the renowned cybersecurity company.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>This figure represents a deterioration of 37 per cent compared to the same period in 2023. Of the 112 countries analysed by Checkpoint, the worst affected in Africa were Ethiopia and Zimbabwe, followed by Angola and Kenya. South Africa ranked 61st, while out of the sample covered by Checkpoint, Egypt ranked last – and therefore first, in qualitative terms – at 112th.</p> </blockquote> <p>It is a condition that is bound to worsen for several reasons, the first of which is related to the fact that Africa is increasingly becoming the centre of interest for countries like China, which are busy extracting silicon and exploiting mineral deposits. As we learn from the Africa24.it website in the article<a href="https://africa24.it/2024/02/10/i-legami-della-cina-con-lafrica/#:~:text=L'iniziativa%20della%20Cina%20Belt,prime%20africane%20esportate%20in%20Cina." target="_blank" rel="noreferrer noopener">‘China’s ties with Africa</a>‘ by C. Volpi:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>China’s Belt and Road Initiative (BRI), launched in 2013, has further intensified these ties, with 52 African countries joining the initiative. Today, China is Africa’s largest trading partner, with a significant share of African raw materials exported to China. […] China derives numerous benefits from its partnership with Africa. Firstly, access to key resources such as cobalt, platinum and coltan, which are crucial for the electronics industry, with China holding African refineries of rare earths and minerals essential for its emerging technology sector. Secondly, the alliance with Africa reinforces Chinese geopolitical aspirations, harnessing the African bloc at the UN General Assembly to influence resolutions on controversial issues and to gain support in international arenas. Against a backdrop of such technological, industrial and economic development, it is easy to imagine that hacking attacks will also gain momentum and increase in number and complexity.</p> </blockquote> <p>Africa has been the target of an increasing number of cyber attacks since 2020, we could mention a few of them</p> <ul class="wp-block-list"> <li><strong>Sibanye-Stillwater (2024)</strong>: a major mining company operating in South Africa was hit by a cyber attack that compromised its IT systems, causing disruption to business operations.</li> <li><strong>Anglo American Platinum (2023)</strong>: a major mining company, was the target of cyber attacks that interfered with operations, highlighting the growing cyber threat in the African mining sector.</li> <li><strong>Gold Fields (2020)</strong>: one of the world’s largest gold mining companies with operations in South Africa, suffered a cyber attack that temporarily halted production at some of its mines.</li> </ul> <p>On the Sibanye-Stillwater case, there is an <a href="https://www.reuters.com/technology/cybersecurity/platinum-giant-sibanye-says-its-system-has-been-hit-cyberattack-2024-07-11/" target="_blank" rel="noreferrer noopener">interesting article by Reuters</a> that tries to take stock of the situation. For the case of Anglo American Platinum, we recommend reading the article on Mining.com by Henry Lazenby<a href="https://www.mining.com/crude-anglo-american-email-highlights-cyber-hack-threat/" target="_blank" rel="noreferrer noopener">‘Crude Anglo American email highlights cyber-hack threat</a>‘.</p> <h3 class="wp-block-heading">The Transnet case</h3> <p>Transnet is a South African state-owned company that plays a crucial role in the management of the country’s transport infrastructure with over 50,000 employees. Established in 1990, Transnet is responsible for the management and development of major transport networks, including railways, ports and pipelines, which are essential for trade and logistics in South Africa and the surrounding region. Transnet operates through different divisions, each of which focuses on a specific aspect of transport:</p> <ol class="wp-block-list"> <li><strong>Transnet Freight Rail (TFR)</strong>: is the division that manages the freight rail network and is one of the largest rail networks dedicated to freight transport on the African continent;</li> <li><strong>Transnet National Ports Authority (TNPA)</strong>: manages South Africa’s major ports, providing essential services for port operations and maritime logistics;</li> <li><strong>Transnet Port Terminals (TPT)</strong>: responsible for terminal operations in ports: facilitates the loading and unloading of goods, including containers, bulk and general cargo;</li> <li><strong>Transnet Pipelines (TPL)</strong>: operates the pipeline network that transports oil products and natural gas across the country, playing a crucial role in energy supply;</li> <li><strong>Transnet Engineering (TE)</strong>: provides maintenance and construction services for rolling stock, locomotives and other railway components.</li> </ol> <p>It is therefore easy to deduce that the Transnet is crucial to the South African and regional economy; its transport infrastructure supports the country’s mining, agricultural and manufacturing industries, facilitating the export of goods and the import of essential goods, but not only. Transnet plays a significant role in fostering regional economic integration and improving connectivity between Southern African countries. Transnet is therefore a cornerstone of the South African and regional transport infrastructure, with a significant impact on trade and economic development.</p> <p>Transnet was the victim of a ransomware attack in July 2021 that resulted in a major breach of IT systems. The offensive was claimed by the ‘Death Kitty’ collective; hackers managed to infiltrate the company’s IT networks, disrupting daily operations and causing significant disruption including:</p> <ul class="wp-block-list"> <li><strong>Disruption of port services</strong>: the IT systems of the ports operated by Transnet were affected, causing cargo loading and unloading operations to come to a halt. This led to significant delays in maritime trade and affected the supply chain;</li> <li><strong>Rail disruptions</strong>: rail operations were also affected, with disruptions in freight services impacting the South African economy;</li> <li><strong>Compromised</strong> internal communications: the ability to communicate within the company was compromised, making it difficult to coordinate emergency responses and restore normal operations.</li> </ul> <p>On 29 July 2021, the<a href="https://issafrica.org/" target="_blank" rel="noreferrer noopener">Institute For Security Studies</a> <a href="https://issafrica.org/iss-today/cyber-attacks-expose-the-vulnerability-of-south-africas-ports" target="_blank" rel="noreferrer noopener">published a</a> very interesting <a href="https://issafrica.org/iss-today/cyber-attacks-expose-the-vulnerability-of-south-africas-ports" target="_blank" rel="noreferrer noopener">article</a> by <a href="https://issafrica.org/author/denys-reva" target="_blank" rel="noreferrer noopener">Denys Reva</a> on hacker attacks against the transport company Transnet. Reva, in his article, explains:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>The cumulative impact of the attack will certainly cause lasting damage to the economy, further weakening South Africa’s economic recovery from the COVID-19 pandemic. However, the actual severity of the incident is difficult to estimate, leaving experts to speculate on its nature, scale and consequences. […] The number of similar incidents in Africa is likely to increase as seaports seek to increase efficiency and effectiveness through digitisation.</p> </blockquote> <h3 class="wp-block-heading">The case of Congo</h3> <p>In 2023 <a href="https://www.netscout.com/threatreport/emea/democratic-republic-of-the-congo/" target="_blank" rel="noreferrer noopener">, NetScout conducted a study</a> on the incidence of DDoS attacks in the Congo, but before going any further, it should be made clear that it is very difficult to get reliable and up-to-date information from these countries. Congo is experiencing constant difficulty in dealing with an increasing number of DDoS attacks, so it is best to give some numerical references to put the phenomenon in context:</p> <figure class="wp-block-table aligncenter"><table class="has-fixed-layout"><tbody><tr><td class="has-text-align-center" data-align="center">Maximum bandwidth occupation</td><td class="has-text-align-center" data-align="center">2.37 Gbps</td></tr><tr><td class="has-text-align-center" data-align="center">Maximum Throughput</td><td class="has-text-align-center" data-align="center">5.5 Mpps</td></tr><tr><td class="has-text-align-center" data-align="center">Average duration</td><td class="has-text-align-center" data-align="center">10 Minutes</td></tr><tr><td class="has-text-align-center" data-align="center">Frequency of attack</td><td class="has-text-align-center" data-align="center">335 Attacks/year</td></tr></tbody></table><figcaption class="wp-element-caption">DDoS in the Congo recorded by NetScout in 2023</figcaption></figure> <p>These figures, to the layman’s eye, do not seem that relevant, but consider that if Congo experienced a DDoS attack with a bandwidth occupancy of 2.37 Gbps, Amazon Web Services (in 2020) had to handle an attack of 2.3 Tbs. In order to provide a simplified view for the inexperienced, we round the figures down and apply Gbps as the unit of measurement, resulting in the following:</p> <figure class="wp-block-table aligncenter"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-center" data-align="center">Congo</th><th class="has-text-align-center" data-align="center">Amazon Web Services</th></tr></thead><tbody><tr><td class="has-text-align-center" data-align="center">2</td><td class="has-text-align-center" data-align="center">2.000</td></tr></tbody></table><figcaption class="wp-element-caption">Exemplifying the comparison between the attack in Congo and that suffered by AWS</figcaption></figure> <p>It is striking to note the abysmal difference between these figures, but it is equally important to put the phenomenon in context. To be able to counter a 2 Gbps DDoS attack, one needs infrastructure and equipment that is hard to find in Congo. Amazon on the other hand, enjoys technological resources that far exceed those used by Congo.</p> <p>In Europe, the increasing number of DDoS attacks is also managed through collaboration between the ISPs of the various countries. This collaboration has not yet been fully established, but it has made it possible to <a href="http://localhost:8888/2022/05/18/gli-attacchi-di-killnet-allitalia/" target="_blank" rel="noreferrer noopener">implement</a> effective <a href="http://localhost:8888/2022/05/18/gli-attacchi-di-killnet-allitalia/" target="_blank" rel="noreferrer noopener">strategies</a> that have protected world-class events such as the Eurovision Song Contest. There is still a lot of work to be done, but the situation in Europe is not even close to the condition in which many countries around the world, including Congo, find themselves.</p> <p>Yet Congo is home to key mines of coltan, which contains tantalum, used in electronics for capacitors and mobile phone components, and cobalt (of which Congo is one of the world’s largest producers), which is essential for rechargeable batteries, such as those in electric vehicles. The paradox is that one of the most important places for the economic development of the world’s powers, is also one of the least digitally protected places, and it is normal that by increasing production, it is easy to increase the levels of digitisation, and it is therefore a foregone conclusion that offensive phenomena on the ground will also increase.</p> <h2 class="wp-block-heading">Conclusions</h2> <p>It is not only Africa that is affected by a significant increase in hacker attacks: according to the <a href="https://www.ransomfeed.it" target="_blank" rel="noreferrer noopener">Ransomfeed</a> platform, attacks recorded over the years for the countries below have increased dramatically (see Australia as an example).</p> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-center" data-align="center">Country</th><th class="has-text-align-center" data-align="center">2022</th><th class="has-text-align-center" data-align="center">2023</th></tr></thead><tbody><tr><td class="has-text-align-center" data-align="center">Argentina</td><td class="has-text-align-center" data-align="center">11</td><td class="has-text-align-center" data-align="center">30</td></tr><tr><td class="has-text-align-center" data-align="center">Australia</td><td class="has-text-align-center" data-align="center">20</td><td class="has-text-align-center" data-align="center">117</td></tr><tr><td class="has-text-align-center" data-align="center">Brazil</td><td class="has-text-align-center" data-align="center">16</td><td class="has-text-align-center" data-align="center">94</td></tr><tr><td class="has-text-align-center" data-align="center">Chile</td><td class="has-text-align-center" data-align="center">4</td><td class="has-text-align-center" data-align="center">14</td></tr><tr><td class="has-text-align-center" data-align="center">India</td><td class="has-text-align-center" data-align="center">6</td><td class="has-text-align-center" data-align="center">83</td></tr><tr><td class="has-text-align-center" data-align="center">Malaysia</td><td class="has-text-align-center" data-align="center">2</td><td class="has-text-align-center" data-align="center">26</td></tr><tr><td class="has-text-align-center" data-align="center">Thailand</td><td class="has-text-align-center" data-align="center">7</td><td class="has-text-align-center" data-align="center">41</td></tr><tr><td class="has-text-align-center" data-align="center">UAE</td><td class="has-text-align-center" data-align="center">2</td><td class="has-text-align-center" data-align="center">29</td></tr></tbody></table><figcaption class="wp-element-caption">Ransomware increase between 2022 and 2023. Source: Ransomfeed.com</figcaption></figure> <p>If countries like the United States, France, Great Britain, and China cannot protect their computer systems from ransomware attacks, how will LDC countries be able to do so? The industrial, political and social development of these countries is directly linked to cyber security and data protection. It is therefore good to bear in mind that these territories are equally subject to cyber attacks, just like other nations. Although they may seem much less impactful in number and scope, it must be borne in mind that the effects are proportional to the security measures available, and these are often very limited if not entirely inadequate to cope with the growing offensive phenomenon.</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/09/01/cyber-attacks-in-countries-with-low-economic-development/">Cyber attacks in countries with low economic development</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>The arrest of Pavel Durov</title> <link>https://www.edoardolimone.com/en/2024/08/26/the-arrest-of-pavel-durov/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Mon, 26 Aug 2024 20:26:54 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Sicurezza Informatica]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=17970</guid> <description><![CDATA[<p>A lot of information is circulating these hours about the arrest of the founder of the messaging service Telegram: Pavel Durov. Not all this information is correct, let’s try to […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/08/26/the-arrest-of-pavel-durov/">The arrest of Pavel Durov</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>A lot of information is circulating these hours about the arrest of the founder of the messaging service Telegram: Pavel Durov. Not all this information is correct, let’s try to put the facts together and rely on reliable sources.</p> <span id="more-17970"></span> <h2 class="wp-block-heading">What happened</h2> <p><strong>Pavel Durov was arrested on Saturday 24 August 2024 at 20:00</strong> at Le Bourget airport, on the outskirts of Paris. His arrest is linked to a judicial investigation launched on 8 July 2024 by Section J3 – JUNALCO (Juridiction Nationale de Lutte contre la Criminalité Organisée) of the Paris Public Prosecutor’s Office. An official presentation of JUNALCO’s findings is available <a href="https://www.tribunal-de-paris.justice.fr/sites/default/files/2024-07/J3%20-%20pr%C3%A9sentation.pdf" target="_blank" rel="noreferrer noopener">by clicking here.</a></p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/08/GV7HuaqW0AAWtYd.png"><img loading="lazy" decoding="async" width="1024" height="719" src="https://www.edoardolimone.com/wp-content/uploads/2024/08/GV7HuaqW0AAWtYd-1024x719.png" alt="" class="wp-image-17960" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/08/GV7HuaqW0AAWtYd-1024x719.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/08/GV7HuaqW0AAWtYd-300x211.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/08/GV7HuaqW0AAWtYd-768x539.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/08/GV7HuaqW0AAWtYd-1536x1078.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/08/GV7HuaqW0AAWtYd.png 1594w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">The English copy of the note issued by the Tribunal Judiciaire de Paris</figcaption></figure> <p>The note of his arrest was issued on 26 July 2024, in which we also read the charges against unknown persons (this is very relevant) and in fact it is written<strong><em>‘This judicial investigation was opened against unnamed</em></strong>‘. At the moment Durov has been detained for questioning as the note clearly states:<strong><em>‘The investigating magistrates in charge of this preliminary judicial investigation have requested the joint referral of the centre for the fight against cybercrime[…] and the National Anti-Fraud Office for the conduct of the investigation. It is within this procedural framework that Pavel DUROV was questioned by the investigators.</em></strong>“</p> <h2 class="wp-block-heading">The charges</h2> <p>There are 12 counts against unknown persons and they are very heavy indeed. An automatic translation is given:</p> <ol class="wp-block-list"> <li>Complicity – web-mastering of an online platform in order to enable an illegal transaction in an organised group,</li> <li>Refusal to disclose, at the request of the competent authorities, information or documents necessary for the performance and operation of wiretaps permitted by law,</li> <li>Complicity – possession of pornographic images of minors,</li> <li>Complicity – distribution, offering or making available pornographic images of minors, in organised groups,</li> <li>Aiding and abetting – acquiring, transporting, possessing, offering or selling drugs,</li> <li>Complicity – the offer, sale or making available, without a legitimate reason, of equipment, tools, programmes or data designed or adapted to gain access to and damage the operation of an automated data processing system,</li> <li>Complicity – organised fraud,</li> <li>Conspiracy to commit a crime or offence punishable by five or more years’ imprisonment,</li> <li>Laundering of proceeds of crime and organised group offences,</li> <li>Provision of encryption services to ensure confidentiality without a certified statement,</li> <li>Provide an encryption tool that guarantees not only authentication or integrity monitoring without prior declaration,</li> <li>Import of an encryption tool that guarantees authentication or integrity monitoring without prior declaration.</li> </ol> <p>Finally, it is worth mentioning that at the end of the text it is written:</p> <pre class="wp-block-preformatted">The pre-trial detention period has been extended until 25 August 2024 by an investigating magistrate and can last up to 96 hours (i.e. 28 August 2024) due to the applicable procedure for organised crime offences, as mentioned above.</pre> <h2 class="wp-block-heading">The ‘encryption declaration’ business</h2> <p>Among these, one stands out that has intrigued many people, number 10:</p> <p class="has-text-align-center"><strong>Provision of encryption services to ensure confidentiality without certified declaration</strong></p> <p>The question therefore arose as to which certified declaration one is talking about. In all likelihood, one could refer to the<em>‘Loi n° 2004-575 du 21 juin 2004 pour la confiance dans l’économie numérique</em>‘. In Article 31 of the aforementioned law, there are two paragraphs stating the following.</p> <pre class="wp-block-preformatted">I. - The provision of cryptographic services must be declared to the Prime Minister. A decree in the Council of State defines the conditions under which this declaration shall be made and may provide for exceptions to this obligation for services whose technical characteristics or conditions of supply are such that, with respect to the interests of national defence and the internal or external security of the State, such supply may be exempted from any prior formality.<br><br>II. - Persons exercising this activity are subject to professional secrecy, under the conditions laid down in Articles 226-13 and 226-14 of the Criminal Code.<br><br><br><br>I. - La fourniture de prestations de cryptologie doit être déclarée auprès du Premier ministre. Un décret en Conseil d'Etat définit les conditions dans lesquelles est effectuée cette déclaration et peut prévoir des exceptions à cette obligation pour les prestations dont les caractéristiques techniques ou les conditions de fourniture sont telles que, au regard des intérêts de la défense nationale et de la sécurité intérieure ou extérieure de l'Etat, cette fourniture peut être dispensée de toute formalité préalable.<br><br>II. - Les personnes exerçant cette activité sont assujetties au secret professionnel, dans les conditions prévues aux articles 226-13 et 226-14 du code pénal.</pre> <p>This essentially means that:</p> <ol class="wp-block-list"> <li>Cryptography adopted by IT solutions must be declared to the Prime Minister when adopted in French software solutions.</li> <li>One is only exempted when there is deemed to be no risk to ‘the interests of national defence and the internal or external security of the state’.</li> </ol> <p>Telegram is a messaging system on a global scale in which, as is well known, illegal activities (such as those specified in the charges) are also conducted, so it is reasonable to think that Article 31 is fully implemented. It is worth mentioning that France adopts a similar system to other countries including the United States with the <a href="https://www.edoardolimone.com/2022/07/08/google-provvedimento-del-garante-e-sezione-702/" target="_blank" rel="noreferrer noopener">Foreign Act.</a></p> <p>In fact, this can also be found in the specifications for publishing apps in Apple’s App Store. In which <a href="https://developer.apple.com/help/app-store-connect/reference/export-compliance-documentation-for-encryption/" target="_blank" rel="noreferrer noopener">it is stated</a> that if the application<strong><em>“uses proprietary encryption algorithms not accepted by international standard bodies (such as IEEE, IETF, or ITU) // uses proprietary encryption algorithms not accepted by international standard bodies (such as IEEE, IETF, or ITU)</em></strong>“, the developer must also provide Apple with the ‘French Encryption Declaration’ with a note that clearly states:</p> <pre class="wp-block-preformatted">The French encryption declaration form is only required if you are distributing your app on the App Store in France<br><br>French encryption declaration form is only required if you're distributing your app on the App Store in France.</pre> <h2 class="wp-block-heading">Conclusions</h2> <p>The Durov affair has ignited a lot of discussion on the subject: from the usefulness of the French initiative to the compression of freedom and the right to privacy. There is no doubt, however, that there is an enormity of illicit activity within Telegram that is easily accessible, most recently the <a href="https://www.edoardolimone.com/2024/06/16/intelligenza-artificiale-e-violenza-in-rete-su-animali-e-bambini/" target="_blank" rel="noreferrer noopener">case of child abuse</a>.</p> <h2 class="wp-block-heading">Author’s note</h2> <p>I would like to engage the reader in a ‘philosophical’ reflection that <strong>makes no claim to establish a truth</strong> but only to spark critical thoughts.</p> <p>We Italians (or rather Europeans) perceive individual rights as guaranteed by law. The most important case is that of <em>private property</em> or <em>free enterprise</em>. These are ‘sacrosanct rights’ that the common person identifies as ‘individual’. The law guarantees ‘my rights’. The American FISA and also the French regulation emphasise the ‘collective good’ that is often forgotten. First of all, there is the collective good and then the good of the individual: this prompted the US government, after 9/11, to strengthen the FISA initially wanted by Nixon. It is not important to establish whether this is right or wrong, for the moment let us just focus on this possible interpretation.</p> <p>In this sense, France, America, and other nations, would act for the good of the community in terms of protecting national security (internal or external). On the other hand, however, the most frequent criticism of this model concerns the way in which this information is stored. French regulations make it clear that information acquired by the technology provider will be kept secret, but what if it is not? The issue of rights compression is simply wonderful and has no simple solution ( <em>complex problems</em> almost never <em>have simple solutions</em>). In this case perhaps one could also refer to what philosophers call an <em>aporia</em>, i.e. a problem that apparently cannot be solved.</p> <p>Here, if the reader has come this far, he or she knows that: this internal struggle to balance rights and obligations is what makes Western democracy an instrument to be envied. In its imperfection, in its fragility, it is nevertheless subject to a continuous search for balance and improvement.</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/08/26/the-arrest-of-pavel-durov/">The arrest of Pavel Durov</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>Regulations and Managing a Data Breach</title> <link>https://www.edoardolimone.com/en/2024/08/24/regulations-and-managing-a-data-breach/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Sat, 24 Aug 2024 15:28:46 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Data Breach]]></category> <category><![CDATA[Digitalizzazione]]></category> <category><![CDATA[Public Administration]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=17941</guid> <description><![CDATA[<p>On 26 July 2024, the Agency for National Cybersecurity (ACN) published the ‘Guide to Reporting Incidents to CSIRT Italy’. It is a 56-page document that gathers some interesting information that […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/08/24/regulations-and-managing-a-data-breach/">Regulations and Managing a Data Breach</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>On 26 July 2024, the Agency for National Cybersecurity (ACN) published the ‘Guide to Reporting Incidents to CSIRT Italy’. It is a 56-page document that gathers some interesting information that we are going to analyse.</p> <span id="more-17941"></span> <h2 class="wp-block-heading">The notification process</h2> <p>In the following sections, some aspects of computer incident reporting will be discussed. In particular, aspects related to notification timing, incident types and also the notification process will be addressed.</p> <p>Before starting, it is worth mentioning that the document published by the ACN can be found <a href="https://www.acn.gov.it/portale/documents/d/guest/acn_guida_notifica_incidenti_clear">by clicking here</a> and includes many relevant aspects concerning the <em>process of notifying</em> a cyber incident <em>.</em> The document is overall well written but, as often happens in Italian legislation, it obliges the user to jump from one regulatory reference to another: in this case, for example, DPCM no. 81/2021 which includes the taxonomy of incidents in Annex A, or the ACN Determination of 3 January 2023.</p> <p>For convenience, this taxonomy will be listed below, but it is important to understand what these taxonomies include:</p> <ul class="wp-block-list"> <li>the table with the ‘ICP-A’ identifiers indicates the types of incidents impacting ICT assets or contiguous assets <strong>to be notified within 6 hours</strong> (defined in Annex A of Prime Ministerial Decree No. 81/2021);</li> <li>the table with the “ICP-B” identifiers indicates the types of incidents impacting ICT assets or contiguous assets <strong>to be notified within 1 hour</strong> (defined in Annex A of Prime Ministerial Decree No. 81/2021);</li> <li>the table with the ‘ICP-C’ identifiers indicates the types of incidents with impact on networks, <strong>information</strong> systems <strong>and information services other than ICT goods</strong> (defined in Annex A of the ACN Determination of 3 January 2023)</li> </ul> <p>For greater clarity, please refer to the following table taken from the image produced by ACN on page 16 of the Guide.</p> <figure class="wp-block-table has-small-font-size"><table class="has-fixed-layout"><thead><tr><th>TYPE OF EVENT</th><th>ASSET IDENTIFICATION</th><th>ACCIDENT IDENTIFICATION CLASS</th><th>TYPE OF NOTIFICATION</th><th>TEMPISTICS</th></tr></thead><tbody><tr><td>Incident falling within the classifications of the taxonomy</td><td>WELL ICT OR CONTIGUOUS</td><td>ICP-B</td><td>OBLIGATORY</td><td>WITHIN 1 HOUR of incident detection</td></tr><tr><td>Incident falling within the classifications of the taxonomy</td><td>WELL ICT OR CONTIGUOUS</td><td>ICP-A</td><td>OBLIGATORY</td><td>WITHIN 6 HOURS of incident detection</td></tr><tr><td>Incident falling within the classifications of the taxonomy</td><td>OTHER THAN BENE ICT</td><td>ICP-C</td><td>OBLIGATORY</td><td><b>Reporting:</b><br>WITHIN 24 HOURS<br><br><b>Notification</b>: <br>WITHIN 72 HOURS of incident detection</td></tr><tr><td>Incident falling within the classifications of the taxonomy</td><td>OTHER THAN ICT ASSET AND CONTIGUOUS ASSET</td><td>ICP-A/B</td><td>VOLUNTARY</td><td>NO TIMING</td></tr><tr><td>Incident that does not fall within the classifications of the taxonomy</td><td>ICT WELLS</td><td>–</td><td>VOLUNTARY</td><td>NO TIMING</td></tr></tbody></table></figure> <p>The notification process consists of four main phases, which are <em>preparation of the notification</em>, <em>notification</em> <em>to the Italian CSIRT</em>, <em>management of the notification</em>, and<em>closure of the incident</em>. Some details for each phase are provided below.</p> <figure class="wp-block-table has-medium-font-size"><table class="has-fixed-layout"><thead><tr><th>Phase</th><th>Description</th></tr></thead><tbody><tr><td><strong>Preparation of the notification</strong></td><td>At this stage it is necessary to communicate at least:<br>– the type of ICT asset impacted.<br>– the type of incident in relation to the taxonomy defined by ACN (ICP-A, ICP-B, ICP-C).<br><br>It is also necessary to proceed to:<br>– Collection of evidence related to the incident.<br>– Self-assessment of the impact on the systems and the provision of business services.<br>– Planning of a recovery plan.<br><br>Finally, the incident report must be prepared, where applicable</td></tr><tr><td><strong>Notification to the CSIRT</strong></td><td>The notification to the CSIRT requires information on the Type of impact according to the following criteria:<br>– impact on ICT asset (notification art.3, paragraph 1 DPCM n. 81/2021);<br>– impact on contiguous networks/systems (notification art.3, paragraph 3 DPCM n .81/2021)<br>– impact on other assets (notification art.1, paragraph 3-bis of Legislative Decree no. 105/2019);<br>– impact for which there is no reporting obligation;<br>– date and time of detection of the accident;<br>further details of the incident;<br>– list of IOCs (Indicators Of Compromise);<br>evidence found (logs, samples, etc.).</td></tr><tr><td><strong>Notification Management</strong></td><td>Following the report, if any, and/or notification, a direct communication channel will be opened through which<br>CSIRT Italia will provide support for incident handling activities, and may request further information to supplement the notification.<br>integration of the notification.</td></tr><tr><td><strong>Closing the incident</strong></td><td>Once the restoration activities of the impacted ICT assets have been defined and started, the PSNC subject shall promptly notify the<br>CSIRT Italia, which, at this point, will be entitled to request from the subject a technical report of the incident concerning<br>significant aspects.</td></tr></tbody></table><figcaption class="wp-element-caption">Information acquired and processed on the basis of Page 20 of the Guide</figcaption></figure> <h3 class="wp-block-heading">Taxonomy of DPCM No. 81/2021 accidents</h3> <p>The taxonomy of incidents includes a mapping of the main types of ‘computer incident’ with their identifier, category and description. The taxonomy consists of two tables: incidents with identifier ICP-A are part of TABLE 1, incidents with identifier ICP-B are part of TABLE 2.</p> <p class="has-text-align-center"><strong>TABLE </strong>1</p> <figure class="wp-block-table has-small-font-size"><table class="has-fixed-layout"><thead><tr><th>Identifier (Impact Incident-ICP)</th><th>Category</th><th>Description</th></tr></thead><tbody><tr><td>ICP-A-1</td><td>Infection (Initial exploitation)</td><td>The subject has evidence of the actual unauthorised execution of code or malware conveyed through infection vectors or by exploiting vulnerabilities of exposed network resources.</td></tr><tr><td>ICP-A-2</td><td rowspan="9">Violation of the expected level of service</td><td>Defined by the entity included in the perimeter in accordance with the security measures in Annex B, in terms of computing resources, memory and/or bandwidth.</td></tr><tr><td>ICP-A-3</td><td>Defined by the entity included in the perimeter pursuant to the security measures in Annex B, hot-replica and/or cold-replica and/or disaster recovery site(s), if any.</td></tr><tr><td>ICP-A-4</td><td>Defined by the entity included in the perimeter in accordance with the security measures in Annex B, in terms of unavailability, irreversible loss or irreversible corruption of data from the field components (actuators and sensors).</td></tr><tr><td>ICP-A-5</td><td>Hot-replica and/or cold-replica data and/or disaster recovery site(s) and/or backup, if any, lost or irreversibly corrupted.</td></tr><tr><td>ICP-A-6</td><td>Loss of confidentiality or integrity.</td></tr><tr><td>ICP-A-7</td><td>Irreversible data loss and/or corruption.</td></tr><tr><td>ICP-A-8</td><td>Loss and/or compromise of encryption keys and/or certificates.</td></tr><tr><td>ICP-A-9</td><td>Loss and/or compromise of user credentials.</td></tr><tr><td>ICP-A-10</td><td>Violation of the expected level of service, defined by the entity included in the perimeter in accordance with the provisions of the security measures in Annex B, in terms of impossibility of physical access to the components.</td></tr><tr><td>ICP-A-11</td><td rowspan="4">Establish persistence</td><td>Obtaining higher-level privileges (Privilege Escalation). The subject has evidence of the unauthorised use of techniques, conducted from within the network, to obtain higher-level privileges.</td></tr><tr><td>ICP-A-12</td><td>Persistence. The subject has evidence of the unauthorised use of techniques, conducted from within the network, to obtain persistence of malicious code or access.</td></tr><tr><td>ICP-A-13</td><td>Defence Evasion. The subject has evidence of the unauthorised use of techniques through which security systems were effectively evaded.</td></tr><tr><td>ICP-A-14</td><td>Command and Control. The subject has evidence of unauthorised communication outside the network.</td></tr><tr><td>ICP-A-15</td><td rowspan="3">Lateral Movement</td><td>Exploration (Discovery). The subject has evidence of the unauthorised use of techniques, conducted from within the network, to carry out reconnaissance activities.</td></tr><tr><td>ICP-A-16</td><td>Credential Access. The person has evidence of unauthorised use of techniques to acquire, from within the network, valid credentials for authentication to network resources or finds unauthorised copies of them.</td></tr><tr><td>ICP-A-17</td><td>The subject has evidence of the unauthorised use of techniques to access or execute code between internal network resources.</td></tr><tr><td>ICP-A-18</td><td rowspan="2">Actions on Objectives</td><td>Collection. The person has evidence of the unauthorised use of techniques to collect, from within the network, data of interest to third parties or finds unauthorised copies of such data.</td></tr><tr><td>ICP-A-19</td><td>Exfiltration. The subject has evidence of the unauthorised use of techniques to exfiltrate data from within the network to external resources.</td></tr></tbody></table></figure> <p class="has-text-align-center"><strong>TABLE 2</strong></p> <figure class="wp-block-table has-small-font-size"><table class="has-fixed-layout"><thead><tr><th>Identifier</th><th>Category</th><th>Description</th></tr></thead><tbody><tr><td>ICP-B-1</td><td rowspan="3">Inhibit Response Function</td><td>The person has evidence of the unauthorised use of techniques to inhibit the intervention of safety, security and quality assurance functions of industrial control systems designed to respond to a malfunction or abnormal state.</td></tr><tr><td>ICP-B-2</td><td>Impairment of Control Processes (Impair Process Control). The subject has evidence of the unauthorised use of techniques to manipulate, disable or damage the physical control processes of industrial control systems.</td></tr><tr><td>ICP-B-3</td><td>Intentional Disruption (Impact). The subject has evidence of the unauthorised use of techniques to manipulate, degrade, disrupt or destroy systems, services or data. This includes, for example, Denial of Service/Distributed Denial of Service events impacting ICT assets.</td></tr><tr><td>ICP-B-4</td><td rowspan="3">Failure</td><td>Violation of the expected level of service, defined by the entity included in the perimeter pursuant to the provisions of the security measures in Annex B, especially in terms of availability, of the ICT asset.</td></tr><tr><td>ICP-B-5</td><td>Disclosure of corrupt data or execution of corrupt transactions via the ICT asset.</td></tr><tr><td>ICP-B-6</td><td>Unauthorised disclosure of digital data relating to ICT assets.</td></tr></tbody></table></figure> <h3 class="wp-block-heading">Taxonomy of ACN Determination 03/01/2023</h3> <figure class="wp-block-table has-small-font-size"><table class="has-fixed-layout"><thead><tr><th>Identifier</th><th>Category</th><th>Description</th></tr></thead><tbody><tr><td>ICP-C-1</td><td>Initial exploitation</td><td>Initial access. The subject has evidence of actual unauthorised access within the network through infection vectors, exploitation of vulnerabilities of publicly exposed resources or any other known technique.</td></tr><tr><td>ICP-C-2</td><td>Execution</td><td>Execution. The person has evidence of the actual unauthorised execution of code or malware within the company network.</td></tr><tr><td>ICP-C-3</td><td>Establish persistence</td><td>Obtaining higher-level privileges (Privilege Escalation). The person has evidence of the unauthorised use of techniques, conducted from within the network, to obtain higher-level privileges on a system or network.</td></tr><tr><td>ICP-C-4</td><td>Persistence</td><td>Persistence. The person has evidence of the unauthorised use of techniques, conducted on a system or within the network, to obtain persistence of malicious code or to grant access.</td></tr><tr><td>ICP-C-5</td><td>Defence Evasion</td><td>Defence Evasion. The subject has evidence of the unauthorised use of techniques, circumvention of security policies and/or systems, designed to avoid detection during an attempted compromise.</td></tr><tr><td>ICP-C-6</td><td>Command and Control</td><td>Command and Control. The subject has evidence of unauthorised communication outside the network.</td></tr><tr><td>ICP-C-7</td><td>Lateral Movement</td><td>Exploration (Discovery). The subject has evidence of the unauthorised use of techniques, conducted from within the network, to carry out reconnaissance activities to gain knowledge about the system and the internal network.</td></tr><tr><td>ICP-C-8</td><td>Credential Access</td><td>Credential Access. The person has evidence of unauthorised use of techniques to acquire, from within the network, valid credentials for authentication to network resources or finds unauthorised copies of them.</td></tr><tr><td>ICP-C-9</td><td>Lateral Movement</td><td>Lateral Movement. The subject has evidence of unauthorised use of techniques to access, control or execute code among internal network resources.</td></tr><tr><td>ICP-C-10</td><td>Actions on objectives</td><td>Collection. The person has evidence of the unauthorised use of techniques to search and/or collect, from within the network, confidential and/or sensitive data or detect their presence outside the systems authorised to process them.</td></tr><tr><td>ICP-C-11</td><td>Exfiltration</td><td>Exfiltration. The subject has evidence of the unauthorised use of techniques to exfiltrate data from within the network to external resources.</td></tr><tr><td>ICP-C-12</td><td>Inhibit Response Function</td><td>Inhibit Response Function. The subject has evidence of the unauthorised use of techniques to inhibit the intervention of safety, security and quality assurance functions of industrial control systems designed to respond to a failure or abnormal state.</td></tr><tr><td>ICP-C-13</td><td>Impair Process Control</td><td>Impairment of Control Processes (Impair Process Control). The subject has evidence of the unauthorised use of techniques to manipulate, disable or damage the physical control processes of industrial control systems.</td></tr><tr><td>ICP-C-14</td><td>Intentional Disruption (Impact)</td><td>Intentional Disruption (Impact). The subject has evidence of the unauthorised use of techniques to manipulate, degrade, disrupt or destroy systems, services or data. This includes, for example, Denial of Service/Distributed Denial of Service events impacting ICT assets.</td></tr><tr><td>ICP-C-15</td><td>Reconnaissance related to spearphishing activities</td><td>Reconnaissance consists of techniques that adversaries adopt to gather, actively or passively, information that can potentially be exploited for subsequent activities. This specific category includes campaigns, even if they have no impact on corporate assets, detected via e-mail (PEO and/or PEC) and consisting of messages, highly personalised (spearphishing), addressed to multiple users of the same organisation and aimed at capturing information, for instance through the use of malicious attachments or web links.</td></tr></tbody></table></figure> <h3 class="wp-block-heading">Compulsory and non-compulsory</h3> <p>Notification of an incident can be of two categories: essentially, notification is mandatory when it falls within the above taxonomies of incidents, and non-mandatory when it does not:</p> <ul class="wp-block-list"> <li>the ICT asset affected by the accident <strong>does not fall within one of the typologies of the taxonomy set out in Annex A to Prime Ministerial Decree No. 81/2021.</strong></li> <li>when it relates to networks, information systems and computer services <strong>pertaining to its own</strong> assets other than ICT assets and contiguous assets and falling under one of the typologies of the taxonomy in Annex A to Prime Ministerial Decree No. 81/2021.</li> </ul> <p>The notification can be made online at: <a href="https://www.csirt.gov.it/segnalazione">https://www.csirt.gov.it/segnalazione</a></p> <figure class="wp-block-image aligncenter size-large is-resized"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/08/image.png"><img loading="lazy" decoding="async" width="912" height="1024" src="https://www.edoardolimone.com/wp-content/uploads/2024/08/image-912x1024.png" alt="" class="wp-image-17940" style="width:658px;height:auto" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/08/image-912x1024.png 912w, https://www.edoardolimone.com/wp-content/uploads/2024/08/image-267x300.png 267w, https://www.edoardolimone.com/wp-content/uploads/2024/08/image-768x862.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/08/image-1369x1536.png 1369w, https://www.edoardolimone.com/wp-content/uploads/2024/08/image.png 1374w" sizes="(max-width: 912px) 100vw, 912px" /></a><figcaption class="wp-element-caption">ACN notification page as at 22/08/2024</figcaption></figure> <h2 class="wp-block-heading">Some conclusions</h2> <p>The document is certainly useful but suffers, in my opinion, from some chronic problems.</p> <h3 class="wp-block-heading">It is not an autonomous document</h3> <p>The first aspect is the dependence on other standards, circulars, documents, which forces the user not to be able to really use the document as a <em>tool</em>. On the contrary, the reader must prepare himself for a ‘jumping’ reading between one standard and another, hoping that in the meantime the information has been kept up-to-date on all sources. For this reason, the ACN guide cannot be regarded as a<em>‘stand-alone</em>‘ document but owes its validity to two other documents such as:</p> <ol class="wp-block-list"> <li>The ACN Determination 03/01/2023</li> <li>Annex A of Prime Ministerial Decree No. 81/2021</li> </ol> <p>With regard to the completeness of the taxonomies, it must be said that both sources (the Determination and Annex A of the DPCM) are very complete and include various relevant aspects, including <em>lateral movements</em> typical of <em><a href="https://www.edoardolimone.com/2024/06/09/cosa-e-il-dwell-time-in-cybersecurity/" target="_blank" rel="noreferrer noopener">dwell-time.</a></em></p> <h3 class="wp-block-heading">Increasingly complicated timelines</h3> <p>Notification is becoming a complex process, involving multiple authorities and multiple time intervals, especially if the subject is subject to several regulations/directives.</p> <figure class="wp-block-table has-small-font-size"><table class="has-fixed-layout"><thead><tr><th>Regulation</th><th>Notification Times</th><th>Subject of Notification</th></tr></thead><tbody><tr><td>GDPR (General Data Protection Regulation)</td><td>Notification within 72 hours of becoming aware of the data breach.</td><td>Competent supervisory authority (e.g. Garante per la protezione dei dati personali in Italy).</td></tr><tr><td>NIS2 (Network and Information Security Directive)</td><td>Initial notification within 24 hours, followed by a detailed report within 72 hours.</td><td>National Computer Security Incident Response Team (CSIRT) or the designated competent authority.</td></tr><tr><td>DORA (Digital Operational Resilience Regulation)</td><td>Immediate notification (usually within a few hours, although the specific deadline is not explicitly defined).</td><td>National or European competent authorities (such as the European Banking Authority or other financial supervisory authorities).</td></tr></tbody></table></figure> <p>It would have been useful to have had a single process that, depending on the type of data involved (for example), would have proceeded to an automatic report to the Data Protection Authority. This would have facilitated the reporting of the incident and made the process more efficient.</p> <h3 class="wp-block-heading">Restoration would require more</h3> <p>During the notification process, in the<em>‘notification preparation</em>‘ phase to be exact, ACN lists<em>‘planning a recovery plan</em>‘ as one of the activities to be performed. Following a computer incident, while the structure is busy figuring out ‘what to do’, ‘how to do it’, ‘to whom to notify’, in one of the greatest moments of excitement and crisis, ACN asks to<em>‘plan a recovery plan</em>‘.</p> <p>It would have been better to transform that<em>“plan a recovery</em><em>plan</em>” into<em>“implement a recovery plan</em>” because with the verb <em>implement</em> the ACN would have given more importance to the recovery phase. Indeed, it must be considered that the actors subject to AgID’s Circular 2/2017 (the minimum ICT security measures for P.A.) provide for the establishment of recovery strategies.</p> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th>ABSC_ID</th><th></th></tr></thead><tbody><tr><td>10.2.1</td><td>Periodically check the usability of copies by means of test restoration</td></tr></tbody></table></figure> <p>Rule 10.2.1 speaks of implementing a periodic activity that verifies the usability of copies by means of a <em>test restore</em>. In essence, during the <em>incident response</em> activity one should not <em>plan a recovery</em> <em>plan</em> but <em>implement a recovery plan</em>, designed and kept up-to-date prior to the moment of crisis.</p> <p>To<em>‘plan a plan</em>‘ is to <em>waste time</em> by worsening the potential damage caused by the incident. It also means legitimising people not to do <em>risk analysis</em>, since the purpose of a risk analysis is not only to know the threats but to prepare an adequate response. It does away with the concept of <em>business continuity plan</em>, <em>disaster recovery plan</em>, and all those planning activities that should be carried out <em>ex-ante before</em> the incident.</p> <p>Finally, this ‘planning a plan’ comes into perfect conflict with the GDPR and NIS2 paradigm that attempt to anticipate the incident through threat identification and response planning.</p> <h3 class="wp-block-heading">Final considerations</h3> <p>The standardisation of directives and regulations generates a redundancy of time and procedures to the detriment of the final actors already fully engaged in the management of the incident from a technical, organisational and communication point of view.</p> <p>The notification activity, which should be reasonably streamlined and practical given the crisis situation, risks becoming a complex, tortuous and mediating process between several actors, each with its own sub-procedures and timeframes.</p> <p>Italy scrambles to create <em>steering cabins</em>, <em>single tables</em>, <em>central agencies</em>, <em>‘once only’ principles</em>, but then distributes information on more regulations, concerning more subjects, with more timeframes and different responsibilities.</p> <p>The question arises as to whether those who design all these structures have any real understanding of what it might mean to handle a data breach.</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/08/24/regulations-and-managing-a-data-breach/">Regulations and Managing a Data Breach</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>Data breach: Bucci-Olmi notary firm</title> <link>https://www.edoardolimone.com/en/2024/07/17/data-breach-bucci-olmi-notary-firm/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Wed, 17 Jul 2024 10:57:59 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Data Breach]]></category> <category><![CDATA[Everest]]></category> <category><![CDATA[Sicurezza Informatica]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=18640</guid> <description><![CDATA[<p>The Everest Group hit a notary firm and this data breach is likely to have truly dramatic connotations considering the type of target and the amount of data exfiltrated. Let […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/07/17/data-breach-bucci-olmi-notary-firm/">Data breach: Bucci-Olmi notary firm</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>The Everest Group hit a notary firm and this data breach is likely to have truly dramatic connotations considering the type of target and the amount of data exfiltrated. Let us take stock of the situation.</p> <span id="more-18640"></span> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-10.png"><img loading="lazy" decoding="async" width="1024" height="238" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-10-1024x238.png" alt="" class="wp-image-18639" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-10-1024x238.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-10-300x70.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-10-768x179.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-10-1536x357.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-10.png 1707w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> <h2 class="wp-block-heading">General Information</h2> <p>On 17/07/2024, the cybergang Everest published a claim against the Bucci – Olmi Notary Firm, with a data exfiltration of 400Gb. The information, according to Everest, will be made public by 20/07/2024. The report, as always, was received promptly through the <a href="https://www.ransomfeed.it">Ransomfeed.it</a> channel and is reported below.</p> <p>From the sample files published by the Everest group, one can see the presence of identity documents, forms for the variation of items relating to a property, but above all copies of notarial deeds among which the initial part of a succession stands out.</p> <h3 class="wp-block-heading">History of events</h3> <ul class="wp-block-list timeline"> <li>15/07/2024 – Creation of the folder for public distribution of files</li> <li>17/07/2024 – Everest Group claim</li> <li>24/07/2024 – Uploading files to the publication portal but without giving notice</li> <li>26/07/2024 – News of the publication of files by the Everest Group</li> </ul> <h3 class="wp-block-heading">Overview of risks</h3> <p>Notarial deeds are documents containing personal data and are special data due to their sensitivity: succession deeds, sale and purchase deeds, company deeds, which should be kept confidential and are currently in Everest’s possession. Studio Notarile Bucci-Olmi deals, among other things, according to their website, with:</p> <ul class="wp-block-list"> <li>Buying and selling real estate;</li> <li>Mortgages and financing;</li> <li>Wills, successions, protection of heirs;</li> <li>Consulting and drafting of articles of incorporation and amendments of partnerships and corporations;</li> <li>Drafting of minutes of meetings and minutes of board meetings in the form of a public deed;</li> <li>Corporate consulting for incorporations, mergers, demergers, transformations and extraordinary capital transactions;</li> <li>Chamber of Commerce Visits and extracts of deeds from the Register of Companies;</li> <li>Acts related to the management of residence permits.</li> </ul> <p>A 400Gb mass of data is large and potentially very extensive: it may include hundreds and hundreds of deeds, scans, personal documents, invoices, etc.</p> <pre class="wp-block-preformatted"><strong>INVOICE DATA</strong><br>Date: 17/07/2024<br>Invoice: 003<br><br><strong>CUSTOMER</strong><br>LUCA ROSSI<br>VIA STRADA 1 - 00100 - ROME<br>F.C.: RSSLCU85M01H501L<br><br><strong>SUBJECT</strong><br>INHERITANCE OF MARIO ROSSI (ADDITIONAL BENEFICIARIES: LUCA ROSSI C.F.: RSSLCU85M01H501L; MARIA BIANCHI C.F.: BNCMRA92T41Z404D; GIORGIO VERDI C.F.: VRDGRG74A01F205X; SARA NERI C.F.: NRISRA88E41H501U; FRANCESCO FERRARI C.F.: FRRFNC81L11D704K; FRANCESCO FERRARI C.F.: FRRFNC81L11D704K; SARA NERI C.F.: NRISRA88E41H501U; FRANCESCO FERRARI C.F.: NRISRA88E41H501U; SARA NERI C.F.: NRISRA88E41H501U).F.: FRRFNC81L11D704K; ELENA COSTA C.F.: CSTLNE79P41E200Z; MARIO ROMANO C.F.: RMNMRR90B01F205Y; GIULIA GATTI C.F.: GTTGLI95S41H501E; ANDREA ESPOSITO C.F.: SPSNDR83R01H703J; LAURA MARINI C.F.: MRNLRA87M41Z404S)</pre> <p>A reconstructed example of a stolen invoice from which one can see not only the data of the first holder but also the data of the other holders. It should be noted that the report made by <a href="https://www.ransomfeed.it/" target="_blank" rel="noreferrer noopener">Ransomfeed.co.uk</a> was at 01:35 AM and was promptly acknowledged.</p> <figure class="wp-block-image aligncenter size-full"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-12.png"><img loading="lazy" decoding="async" width="991" height="358" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-12.png" alt="" class="wp-image-18637" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-12.png 991w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-12-300x108.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-12-768x277.png 768w" sizes="(max-width: 991px) 100vw, 991px" /></a></figure> <p>At 12.46 p.m. on 17 July 2024, no notice appeared on the notaries’ official portal giving the news of what had happened, but this does not mean that private communications had not already started via other channels.</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-11.png"><img loading="lazy" decoding="async" width="1024" height="535" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-11-1024x535.png" alt="" class="wp-image-18638" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-11-1024x535.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-11-300x157.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-11-768x401.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-11-1536x802.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-11.png 1906w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> <h3 class="wp-block-heading">The Bucci-Olmi Notary Studio</h3> <p>Studio Notarile Bucci – Olmi is based in Ancora and is managed by two notaries: Renato Bucci and Luigi Olmi. The history of the firm is fully described on its official website.</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>The associated firm was established on 1 September 1978 under the name of ‘Studio dei Notai Guido Bucci – Giuseppe Salvatore – Ugo Salvatore’, when the three owners decided to combine their professionalism and skills in order to guarantee a better service to clients. After the untimely death of notary Giuseppe Salvatore, the firm continued its activities with the two owners Guido Bucci and Ugo Salvatore until 17 June 2006, when notary Luigi Olmi joined the association. He was appointed notary in Ancona by decree in May 2006, after having passed the competition announced by ministerial decree in December 2002. In January 2007, notary Ugo Salvatore, after 48 years dedicated to the profession and representation in notarial bodies (he was President and member of the District Notary Council, member of the National Council of Notaries, secretary of the National Fund of Notaries and member of Notarial Competition Commissions), ceased his activity, without, however, failing to make his contribution to national bodies as representative of retired notaries at the National Fund of Notaries, a position he held until 2013. In April 2012, notary Renato Bucci joined the association. After practising in the Turin district following his appointment on 28 June 2011, he was transferred to Ancona. (Source: <a href="https://www.studionotarilebucciolmi.it/">Studio Notarile Bucci-Olmi</a>)</p> </blockquote> <p>The firm is well-established in and around Ancona and this could make the repercussions of the data breach more serious.</p> <h3 class="wp-block-heading">Ethics note</h3> <p>It was decided not to publish any stolen material, even if censored. The Bucci-Olmi Notary Studio will have to cope with a crisis that is serious enough in itself, and the publication of material, even if anonymised, would not help the situation. Readers will still be able to refer to what is reported in the article and possibly to faithful textual reconstructions of what was published by the hackers, which, however, will not contain any real data.</p> <h2 class="wp-block-heading">Considerations on exfiltrated files</h2> <p>As listed in the updates section, the Everest group published the exfiltrated files to the Studio Notarile Bucci Olmi, and the following are some considerations. The archive, as explained earlier, refers to several files in RAR format, each containing a portion of the exfiltrated files. This means that the Everest collective attempted to maximise the effectiveness of the attack by making the files available in multiple archives, easily acquired from the Internet. <strong>It would therefore not be necessary to download the entire 400Gb to get hold of the files of the Bucci-Olmi Notary Firm.</strong></p> <p>Each archive may contain a multitude of files and documents including:</p> <ul class="wp-block-list"> <li>Declarations in lieu of affidavit</li> <li>Contracts of various kinds (sale/purchase/rental)</li> <li>Company acts</li> <li>Wills</li> </ul> <p>Please note that each act includes the personal data of individuals. Of course, it is easy to assume that the archives also contain documents such as these:</p> <ul class="wp-block-list"> <li>Land registry searches (with personal and property data)</li> <li>Reports from mortgage inspections</li> <li>Visits for companies made to the Chamber of Commerce</li> <li>Tax payment receipts</li> <li>Email messages with public offices and customers</li> </ul> <h2 class="wp-block-heading">Conclusions</h2> <p>Below are updates on the data breach, but before closing the article, it is good to pause for a second to comment on what happened. On 20 November 2020, EuroNotaries, a famous notary association founded by Studio Genghini & Associati, held an online event to train and raise awareness among notaries on cybersecurity. It was an important event, which was attended by many notaries, but only the younger ones asked questions about increasing cybersecurity. Over time, participation in these webinars would confirm what was perceived at the time.</p> <p>Cybersecurity is crucial for notaries, accountants, and lawyers, because the data in their possession are of the highest level of sensitivity and importance. he Bucci-Olmi data breach is just one of many that have affected the notary category. It is necessary that these professional orders take the cybersecurity part very seriously, otherwise the classic dyscrasia between relevance of processing and insufficiency of technical-organisational measures for cybersecurity will arise.</p> <h2 class="wp-block-heading">Abuse reported</h2> <figure class="wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-3 is-layout-flex wp-block-gallery-is-layout-flex"><figure class="wp-block-image size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-15.32.42-1.png"><img loading="lazy" decoding="async" width="1024" height="507" data-id="18630" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-15.32.42-1-1024x507.png" alt="" class="wp-image-18630" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-15.32.42-1-1024x507.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-15.32.42-1-300x149.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-15.32.42-1-768x380.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-15.32.42-1-1536x761.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-15.32.42-1.png 1920w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">Sent at 15:32:42</figcaption></figure> <figure class="wp-block-image size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.13.19.png"><img loading="lazy" decoding="async" width="1024" height="223" data-id="18631" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.13.19-1024x223.png" alt="" class="wp-image-18631" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.13.19-1024x223.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.13.19-300x65.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.13.19-768x167.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.13.19-1536x335.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.13.19.png 1651w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> </figure> <p>The data breach was serious and it was possible to report the abuse directly to the administrators of the platform used by Everest to publish the files. Thus, at 15:32 on 26/07/2024, they clicked on ‘Abuse’ and described the problem in a message. The technical staff stopped publishing the files shortly afterwards, at around 16:13. The file links were all broken and the folder now appears empty. Mind you, this probably won’t stop Everest publishing the files, which will surely adopt another channel or simply another account, but hopefully it will help slow down the spread.</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.16.47.png"><img loading="lazy" decoding="async" width="1024" height="146" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.16.47-1024x146.png" alt="" class="wp-image-18629" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.16.47-1024x146.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.16.47-300x43.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.16.47-768x109.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.16.47-1536x219.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Screenshot-2024-07-26-alle-16.16.47.png 1650w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">Shortly after the report, the folder appears empty</figcaption></figure> <hr class="wp-block-separator has-alpha-channel-opacity" /> <h2 class="wp-block-heading">Updates</h2> <h3 class="wp-block-heading">21/07/2024-11:02-no publication of data yet</h3> <figure class="wp-block-image aligncenter size-full"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-13.png"><img loading="lazy" decoding="async" width="996" height="430" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-13.png" alt="" class="wp-image-18635" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-13.png 996w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-13-300x130.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-13-768x332.png 768w" sizes="(max-width: 996px) 100vw, 996px" /></a><figcaption class="wp-element-caption">The hackers’ notice outlined a three-day deadline to make contact with them.</figcaption></figure> <p>To date, the Everest collective has not yet published the data of the data breach. The collective had given the Bucci-Olmi Notary Firm 3 days to make contact with them and this deadline expired on 20/07/2024.</p> <h3 class="wp-block-heading">23/07/2024-09:34-no publication of data yet</h3> <p>The silence from the Everest group continues, which has not yet published the files of the 400GB exfiltrated to the Bucci-Olmi Notary Studio.</p> <h3 class="wp-block-heading">25/07/2024-11:25-no publication of data yet</h3> <p>The Everest Group has not yet published the files exfiltrated to the Bucci-Olmi Notary Firm. Monitoring activities will continue.</p> <h3 class="wp-block-heading">26/07/2024-15:00-Publication of exfiltrated files on the Internet</h3> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-Olmi-Screenshot-2024-07-26-alle-15.42.12.png"><img loading="lazy" decoding="async" width="1024" height="455" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-Olmi-Screenshot-2024-07-26-alle-15.42.12-1024x455.png" alt="" class="wp-image-18632" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-Olmi-Screenshot-2024-07-26-alle-15.42.12-1024x455.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-Olmi-Screenshot-2024-07-26-alle-15.42.12-300x133.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-Olmi-Screenshot-2024-07-26-alle-15.42.12-768x341.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-Olmi-Screenshot-2024-07-26-alle-15.42.12.png 1138w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> <p>The Everest collective published the files of the Bucci-Olmi notary firm outside the TOR network. The Ransomfeed platform updated this with the news at 15:04 on 26/07/2024.</p> <figure class="wp-block-image aligncenter size-full"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-OlmiScreenshot-2024-07-26-alle-15.09.01.png"><img loading="lazy" decoding="async" width="1025" height="347" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-OlmiScreenshot-2024-07-26-alle-15.09.01.png" alt="" class="wp-image-18634" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-OlmiScreenshot-2024-07-26-alle-15.09.01.png 1025w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-OlmiScreenshot-2024-07-26-alle-15.09.01-300x102.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-OlmiScreenshot-2024-07-26-alle-15.09.01-768x260.png 768w" sizes="(max-width: 1025px) 100vw, 1025px" /></a><figcaption class="wp-element-caption">Download screen for files published by the Everest group</figcaption></figure> <p>Everest published part of the 400Gb: these are RAR archives organised as follows:</p> <figure class="wp-block-table has-medium-font-size"><table><thead><tr><th class="has-text-align-center" data-align="center">Archive</th><th class="has-text-align-center" data-align="center">MD5</th><th class="has-text-align-center" data-align="center">Date</th><th class="has-text-align-center" data-align="center">Size (in GB)</th></tr></thead><tbody><tr><td class="has-text-align-center" data-align="center">1.rar</td><td class="has-text-align-center" data-align="center"></td><td class="has-text-align-center" data-align="center"></td><td class="has-text-align-center" data-align="center">???</td></tr><tr><td class="has-text-align-center" data-align="center">2.rar</td><td class="has-text-align-center" data-align="center"></td><td class="has-text-align-center" data-align="center"></td><td class="has-text-align-center" data-align="center">???</td></tr><tr><td class="has-text-align-center" data-align="center">3.rar</td><td class="has-text-align-center" data-align="center"></td><td class="has-text-align-center" data-align="center"></td><td class="has-text-align-center" data-align="center">???</td></tr><tr><td class="has-text-align-center" data-align="center">4.rar</td><td class="has-text-align-center" data-align="center"></td><td class="has-text-align-center" data-align="center"></td><td class="has-text-align-center" data-align="center">???</td></tr><tr><td class="has-text-align-center" data-align="center">5.rar</td><td class="has-text-align-center" data-align="center">9a3d9e217890fe76cdc46ac634830111</td><td class="has-text-align-center" data-align="center">2024-07-24 16:06:23</td><td class="has-text-align-center" data-align="center">42,7</td></tr><tr><td class="has-text-align-center" data-align="center">6.rar</td><td class="has-text-align-center" data-align="center">ad7f84271e079c98d65ae685912e3e45</td><td class="has-text-align-center" data-align="center">2024-07-24 16:42:48</td><td class="has-text-align-center" data-align="center">2,7</td></tr><tr><td class="has-text-align-center" data-align="center">7.rar</td><td class="has-text-align-center" data-align="center">86d5709e831acbab2a64c6b64c925e5d</td><td class="has-text-align-center" data-align="center">2024-07-24 16:59:14</td><td class="has-text-align-center" data-align="center">7,8</td></tr><tr><td class="has-text-align-center" data-align="center">8.rar</td><td class="has-text-align-center" data-align="center">3e3868eab9c9043c70a5d6c587071d1e</td><td class="has-text-align-center" data-align="center">2024-07-24 23:54:21</td><td class="has-text-align-center" data-align="center">97,4</td></tr><tr><td class="has-text-align-center" data-align="center">9.rar</td><td class="has-text-align-center" data-align="center">93a1cf46b8b557bb7b681cf32375a99f</td><td class="has-text-align-center" data-align="center">2024-07-26 03:37:59</td><td class="has-text-align-center" data-align="center">151,2</td></tr></tbody><tfoot><tr><td class="has-text-align-center" data-align="center"><strong>TOTAL</strong></td><td class="has-text-align-center" data-align="center"></td><td class="has-text-align-center" data-align="center"></td><td class="has-text-align-center" data-align="center"><strong>301,8</strong></td></tr></tfoot></table><figcaption class="wp-element-caption">List of archives exhibited by the Everest Group</figcaption></figure> <p>Please note that the first 4 archives (1.rar, 2.rar, 3.rar, 4.rar) have not been uploaded at the moment.</p> <figure class="wp-block-image aligncenter size-full"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-Olmi-Screenshot-2024-07-26-alle-15.16.23.png"><img loading="lazy" decoding="async" width="353" height="65" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-Olmi-Screenshot-2024-07-26-alle-15.16.23.png" alt="" class="wp-image-18633" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-Olmi-Screenshot-2024-07-26-alle-15.16.23.png 353w, https://www.edoardolimone.com/wp-content/uploads/2024/07/Bucci-Olmi-Screenshot-2024-07-26-alle-15.16.23-300x55.png 300w" sizes="(max-width: 353px) 100vw, 353px" /></a></figure> <p>It is very important to note that Everest created the folder containing the files on 15/07/2024 18:03:09, i.e. a few days before the public claim (published on 17/07/2024).</p> <p>Let us now turn to some considerations about published RAR archives: the size suggests that each file is ‘self-consistent’. Generally, in fact, multi-part archives are composed of individual numbered files of the same size (with the exception of the last one). What immediately jumps out at you, however, is that these individual files are all different sizes and the fear is that they are ‘self-consistent’ files containing part of the published material. This way of publishing data makes them easily accessible to anyone with an internet connection.</p> <p></p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/07/17/data-breach-bucci-olmi-notary-firm/">Data breach: Bucci-Olmi notary firm</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>The point on health data breaches</title> <link>https://www.edoardolimone.com/en/2024/07/16/the-point-on-health-data-breaches/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Tue, 16 Jul 2024 21:41:27 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Data Breach]]></category> <category><![CDATA[Healthcare]]></category> <category><![CDATA[Public Administration]]></category> <category><![CDATA[Sicurezza Informatica]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=17639</guid> <description><![CDATA[<p>In Italy, there is a major problem in restoring health services following a computer incident, and it matters little whether the incident is caused by negligence or malicious intent. In […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/07/16/the-point-on-health-data-breaches/">The point on health data breaches</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>In Italy, there is a major problem in restoring health services following a computer incident, and it matters little whether the incident is caused by negligence or malicious intent. In the health sector, this can make the difference between the provision of essential services and their non-delivery to the detriment of patients.</p> <span id="more-17639"></span> <h2 class="wp-block-heading">Digital health</h2> <p>The term <em>digital health</em> encompasses all the information systems deputed to the operation of healthcare services: think of document management systems, server systems for holding files, communication and data transmission services, patient management systems, and so on. Digital health is a delicate web of systems, services, networks, infrastructures that animate hospitals, ASLs, emergency rooms, etc.</p> <p>The occurrence of an IT incident in a sensitive context such as healthcare must be seen as <em>critical</em>. The closure of an emergency room, for instance, is equivalent to the interruption of care provision and the transfer of patients to different and sometimes more distant facilities. It is worth remembering that phenomena of this kind, in Germany, <a href="https://www.edoardolimone.com/2021/10/14/morti-da-ransomware/" target="_blank" rel="noreferrer noopener">contributed to the death of a woman</a>, and that any attempt to dismiss the phenomenon is tantamount to demonstrating one’s ignorance of the subject of computer security and disregard for the treatment of patients.</p> <p>In Italy, the situation regarding the restoration of healthcare services is taking on truly worrying contours: as of 12 July 2024, the ranking shown in the graph below can be deduced, a ranking that sees ASST Rhodense rising rapidly to the top. It has been mentioned on many occasions on this portal that the maximum <a href="https://www.edoardolimone.com/2022/04/20/data-breach-gli-sla-di-agid/" target="_blank" rel="noreferrer noopener">return to operation</a> time <a href="https://www.edoardolimone.com/2022/04/20/data-breach-gli-sla-di-agid/" target="_blank" rel="noreferrer noopener">(RTO)</a> of ASLs, for example, should be 4 days (3.7 to be exact).</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-1.png"><img loading="lazy" decoding="async" width="1024" height="407" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-1-1024x407.png" alt="" class="wp-image-17638" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-1-1024x407.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-1-300x119.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-1-768x306.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-1.png 1458w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">Some data on the restoration of services (as of 12 July 2024)</figcaption></figure> <p>It is therefore embarrassing, to say the least, if not worrying, to see that over the years (more than 10 since AgID’s survey), the situation has not only not improved but, if possible, worsened. Bear in mind, for instance, that the data in the graph refer to the years indicated in the table:</p> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-center" data-align="center">Year</th><th class="has-text-align-center" data-align="center">Target</th><th class="has-text-align-center" data-align="center">Duration</th></tr></thead><tbody><tr><td class="has-text-align-center" data-align="center">2021</td><td class="has-text-align-center" data-align="center">AULSS 6 Euganea</td><td class="has-text-align-center" data-align="center">18</td></tr><tr><td class="has-text-align-center" data-align="center">2023</td><td class="has-text-align-center" data-align="center">ASL 1 Abruzzo</td><td class="has-text-align-center" data-align="center">30</td></tr><tr><td class="has-text-align-center" data-align="center">2023</td><td class="has-text-align-center" data-align="center">Multimedica</td><td class="has-text-align-center" data-align="center">52</td></tr><tr><td class="has-text-align-center" data-align="center">2024</td><td class="has-text-align-center" data-align="center">ASST Rhodense</td><td class="has-text-align-center" data-align="center">36⇪</td></tr></tbody></table></figure> <p>It should also be noted that the data presented here take into account only those targets that have had a restoration period of more than 10 days (and not 4 as reported in the AgID document). The arrow next to ASST Rhodense means that the health authority, at the time of writing this article, is busy restoring its digital services, including the official web portal, which is presented in its temporary guise as shown below. It will certainly not escape the reader’s notice that the further one goes, the more the days of restoration increase instead of decreasing. The more technological progress increases, the more the possibility of restoring services on time decreases.</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-2.png"><img loading="lazy" decoding="async" width="1024" height="917" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-2-1024x917.png" alt="" class="wp-image-17637" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-2-1024x917.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-2-300x269.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-2-768x688.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-2.png 1054w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">The ASST Rhodense portal as at 12 July 2024, 09:25 a.m.</figcaption></figure> <h2 class="wp-block-heading">The culture of ignorance</h2> <p>The first publication of the GDPR dates back to 27 April 2016, 8 years have now passed and still many healthcare facilities continue to handle and hold personal health data improperly. Precisely those data that we remember are special category personal data and for that reason would need greater security measures because they are more sensitive:<em>“Special categories of personal data that deserve greater protection should only be processed for health-related purposes…</em>” (GDPR-Consideration 53). Clearly this is not only a problem for healthcare facilities, but in this article we will focus on this area because it is considered the most important. It is astonishing how carelessly the law is violated, starting with the much-discussed GDPR that prescribes:</p> <pre class="wp-block-preformatted">It is in the legitimate interest of the data controller concerned to process personal traffic data to the extent strictly necessary and proportionate to ensure network and information security, i.e. the ability of a network or an information system to resist, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the protection of personal data the availability, authenticity, integrity and confidentiality of personal data stored or transmitted...</pre> <p>Given the results, one would argue that such a <em>legitimate</em> interest does not really exist and that data controllers do not care about this interest but do something else. This is because what is lacking in digital health is not only technology, but above all strategies, documentation, planning, and all that is needed to design an adequate, though clearly not infallible, information ecosystem <em>over time</em>.</p> <p>It could be clarified to many managers of facilities affected by data breaches that the return to operations expressed by the RTO (Recovery Time Objective) service level refers to the <em><span style="text-decoration: underline">complete</span> restoration of all</em> the organisation’s services, and not only of a part, the one that is obviously considered most relevant. No, the recovery must be total, from the first to the last element compromised during the incident: otherwise the recovery, logically, cannot be considered complete and is partial. Yet much controversy has been raised on this point: a restoration is considered complete if, for example, it does not include the reactivation of a website, or of a portal for booking healthcare services, which, prior to the computer incident, was present and fully functional.</p> <p>There is also another problem to be analysed: regulatory ignorance. In the last few hours, discussions are taking place on Twitter about a data breach involving Prof. Burioni and the signatories of a complaint against him. It is a much-discussed controversy and was discussed by <a href="https://bernieri.blogspot.com/2024/07/entrino-signori-entrino-piu-gente-entra.html">DPO Christian Bernieri in this article.</a> The discussion was in itself very interesting, not so much because of the central fact, but because there was evidence on Twitter that many people, even insiders, still do not understand what a <em>data breach</em> is. The following is a shining example of ignorance on the subject in question.</p> <figure class="wp-block-image aligncenter size-large is-resized"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-3.png"><img loading="lazy" decoding="async" width="1024" height="800" src="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-3-1024x800.png" alt="" class="wp-image-17636" style="width:499px;height:auto" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/07/image-3-1024x800.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-3-300x234.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-3-768x600.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/07/image-3.png 1170w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> <p>The censured user, who, by the way, is not a jurist or an insider, claims that what happened in the Burioni case is not a data breach. However, the user ignores the fact that the complaint was signed by individuals who only gave their consent for the document to be signed and not for their personal data to be disclosed on the internet. The user also ignores the fact that a piece of data, even if public, must be processed according to the specific and intended purposes of processing, and in the present case the dissemination of personal data and photocopies of identity documents is neither intended nor authorised. The problem, however, is not so much in the answers given by non-practitioners; it explodes when it is self-styled insiders who give these answers. Eight years have passed, and lawyers, computer technicians, and so-called ‘experts’ have still not understood what a security breach is and what the law prescribes in this regard. This is a problem and it is caused by the lack of proper training and the complete sloppiness with which some topics that should actually be very important are often treated.</p> <p>One would think, therefore, that in recent years a <em>culture of ignorance</em> has been cultivated based on approximation, on waffling, on the downplaying of phenomena that are much bigger and more relevant than they appear on social media, with the consequent increase in the time it takes to restore digital services. And yet it is strange: in addition to GDPR, there are standards such as ISO 27001, ISO 27005, Critical Security Controls that establish the need to govern recovery activities, and in a few months’ time (from 17 October 2024) there will also be NIS2 to insist on this. It almost makes one smile bitterly to see this regulatory turnover on so many important and regularly disregarded points.</p> <h2 class="wp-block-heading">Artificial intelligence could not miss</h2> <p>In this absolutely discouraging scenario, which shows all the ignorance on a subject that is as basic as it is fundamental for the rights of the individual, there is much talk of artificial intelligence applied to various fields, including healthcare. One would be forgiven for thinking that in order to apply even the slightest algorithm, the most elementary and harmless one, technical, organisational and methodological prerequisites are required, which are constantly ignored today.</p> <p>It should be noted that the director of one of the ASLs listed above was outraged, because after the security breach, the newspapers were talking about the inefficiencies and the deficient state in which the computer systems were found, while lawyers (rightly) filed claims for compensation for their clients. In essence, instead of apologising and working promptly to restore services, the director of this health facility complained to journalists who were doing their job and denouncing the absurd conditions of data management and processing. In such a scenario, of absolute technical and organisational incapacity (more or less intentional), one would like to drop one of the most complex, articulated and therefore difficult-to-manage technologies in the world. A technology that could improve the lives of a great many people provided, however, that it is properly introduced into healthcare facilities and does not itself become an object or cause of vulnerability. Faced with such a topic, therefore, all that remains is a bitter smile and a slight shudder of fear that even this aspect could be rendered superficial in its implementation; the damage would be considerable, to say the least.</p> <h2 class="wp-block-heading">There is no simple solution but…</h2> <p>A thought has to be made: in a private company, if a project manager commits blatant and repeated errors that cause severe damage to the organisation and its customers in the event of an accident, you can be sure that that manager will at least be relieved of his or her duties.</p> <p>After the security breaches and exposure of data by hackers, macroscopic errors were revealed in the management and holding of data by many healthcare facilities. These errors were the result of an IT strategy aimed at ‘convenience’ and not at security, or at least recklessness or negligence. If the manager(s) responsible for these choices were to be held accountable, there would undoubtedly be more attention: especially if he/she had to answer not only before the law but also by paying any fines. This is important to understand and is the fundamental difference between the public and the private sphere. In a private context, the liable party is jointly and severally liable for the damage caused to the organisation and its customers. In the public context, we are at an embarrassing level, where technicians who have facilitated data breaches have not only not even suffered disciplinary action but in some cases have even been ‘promoted’ to different tasks with a corresponding increase in salary.</p> <p>Data breaches show years of neglect, of violation of regulations (such as AgID Circular 2/2017), and if a data breach happens, for example, after ten years of neglect, the question is no longer about the IT incident but about why for ten years the regulations were not complied with. It is possible to determine the condition of a computer system very precisely, to establish its limits and fundamental breaches without any problems whatsoever. For instance, it is possible to determine whether, at the time of the incident, the organisation was taking the security measures required by law, whether they were in possession of properly implemented backups, whether they had properly digitally signed plans and strategies. In short, if one wanted to, it would be possible to make all the necessary findings to enforce the law and restore dignity to the processing of citizens’ data.</p> <h2 class="wp-block-heading">Conclusion</h2> <p>It should all be very important but, as the comedian Luca Bizzarri would say, we <em>are in Italy</em> and we like to do things our own way. So we wait for months and months for the health services to be fully operational again, and in the meantime top experts in technology, law, cybersecurity, artificial intelligence, come and go in round tables and webinars and online meetings denouncing their great preparation. With all this widespread knowledge, Italy should be at the top in terms of technological performance, cybersecurity and personal data processing culture. Strangely enough, this is not the case, but it is holiday time and so everything will be conveniently forgotten under a beach umbrella between a spritz and a Settimana Enigmistica. Hackers, security breaches, data protection will be forgotten, and the dignity of the citizen’s rights will also be forgotten, but who cares, tomorrow is another day and the dignity of the citizen’s rights we have long since forgotten.</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/07/16/the-point-on-health-data-breaches/">The point on health data breaches</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>Technology and energy consumption</title> <link>https://www.edoardolimone.com/en/2024/06/24/technology-and-energy-consumption/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Mon, 24 Jun 2024 21:13:44 +0000</pubDate> <category><![CDATA[Artificial Intelligence]]></category> <category><![CDATA[Digitalizzazione]]></category> <category><![CDATA[Intelligenza Artificiale]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=17566</guid> <description><![CDATA[<p>We are constantly talking about technologies such as blockchain and artificial intelligence, but we also have to assess the energy consumption and pollution related to their deployment. Let us try to get into the numbers with the aim of understanding the real importance of these technologies but also the heavy impact they have on the environment and available resources. We must use them wisely!</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/06/24/technology-and-energy-consumption/">Technology and energy consumption</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>Artificial intelligence is an invaluable resource for the development of mankind on the planet. Computational capacity can improve life chances and create new and better hopes for mankind but none of this is free and perhaps many aspects continue to be underestimated.</p> <span id="more-17566"></span> <p>The purpose of this article is to suggest a reflection on the usefulness of technologies such as blockchain or artificial intelligence, in relation to their consumption in a world with fewer and fewer primary resources available. The aim is not to declare their uselessness, on the contrary their strategic importance to the point of reflecting on their actual level of deployment.</p> <h2 class="wp-block-heading">Artificial intelligence and water consumption</h2> <p>In 2022, Google, Microsoft and Meta consumed more than 2 billion cubic metres of fresh water: 2 billion cubic metres of fresh water is an impressive amount and, <a href="https://www.corrierecomunicazioni.it/green-economy/lintelligenza-artificiale-e-il-paradosso-idrico-migliaia-di-soluzioni-anti-sprechi-ma-consumi-record-per-i-data-center/#:~:text=Nel%202022%20le%20aziende%20tecnologiche,6%20miliardi%20di%20metri%20cubi." target="_blank" rel="noreferrer noopener">according to Dr. Veronica Balocco in the Corriere delle Comunicazioni</a>, an estimated 4.2 and 6.6 billion cubic metres of fresh water will be consumed in 2027 (for more information <a href="https://hyscaler.com/insights/water-consumption-of-ai-tech-giants/" target="_blank" rel="noreferrer noopener">click here</a>).</p> <h3 class="wp-block-heading">What fresh water is for</h3> <p>Fresh water is used to cool the processors in charge of carrying out the calculations necessary for artificial intelligence algorithms: the busier the processor, the higher the temperature released and the greater the demand for water. However, let’s take a practical example: CINECA’s LEONARDO computer receives incoming water at 37°C, which is run to cool the systems involved in the calculations and at its outlet reaches a maximum of 47°C.</p> <p>The case of LEONARDO is interesting because from the presentation made by CINECA we learn that the refrigeration system is a closed circuit in which water is never wasted, and in fact, being at 37°C, it is easy to see that there is constant recirculation. It is an intelligent idea that, as CINECA President Dr. Francesco Ubertini claims, requires however a certain ‘ethics in the use’ of the system: it must be used for important things.</p> <h3 class="wp-block-heading">What is 2 billion cubic metres of water</h3> <h4 class="wp-block-heading">The case of Roma Capitale</h4> <p>Answering this question is not easy but it is possible by doing a few simple mathematical operations.</p> <pre class="wp-block-preformatted"><strong>Data</strong><br>Per capita water consumption: 155 cubic metres (source: <a href="https://www.ansa.it/sito/notizie/economia/pmi/2023/03/21/acqua-istat-italia-resta-al-top-in-europa-per-consumi_14d7d2a8-cd34-4058-b3b4-bdfc9df4e24e.html" target="_blank" rel="noreferrer noopener">ANSA</a>)<br>Population of Rome: 2,800,000 inhabitants (source: <a href="https://www.comune.roma.it/web-resources/cms/documents/02_Popolazione_Annuario_2023_def.pdf" target="_blank" rel="noreferrer noopener">Municipality of Rome</a> for year 2023)<br><br><strong>Calculations</strong><br>Total consumption = Per capita consumption x Population<br>Total consumption = <sup>155m3/year</sup> x 2,800,000 inhabitants<br>Total consumption = 434,000,000<sup>m3/year</sup></pre> <p>It should be noted, however, that this value (434,000,000) only concerns non-housing use and does not take into account industrial, commercial, tourist uses. Therefore, it is quite plausible to round this figure up to about 550,000,000<sup>m3.</sup></p> <pre class="wp-block-preformatted">Estimated total annual consumption = 550,000,000<sup>m3</sup><br>Estimated total daily consumption = 1,506,849<sup>m3</sup><br><br>--------------<br><br>1,506,849<sup>m3</sup> = 1,506,849,000 litres</pre> <p>In Rome, in essence, an estimated 1,506,849,000 litres of water per day will be consumed in 2023. A very high value that does not hold a candle to the figures declared by London (a city far more populated than Rome).</p> <h4 class="wp-block-heading">The case of London</h4> <p>According to <a href="https://www.london.gov.uk/programmes-strategies/environment-and-climate-change/climate-change/climate-adaptation/water-resources" target="_blank" rel="noreferrer noopener">the official website of the City of London</a>, daily water consumption is 2,600,000 litres or 2,600,000<sup>m3.</sup> Also keep in mind the difference between the two cities:</p> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th></th><th class="has-text-align-center" data-align="center">Rome</th><th class="has-text-align-center" data-align="center">London</th></tr></thead><tbody><tr><td>Population</td><td class="has-text-align-center" data-align="center">2.848.084</td><td class="has-text-align-center" data-align="center">8.982.000</td></tr></tbody></table></figure> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/06/image-9.png"><img loading="lazy" decoding="async" width="1024" height="763" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/image-9-1024x763.png" alt="" class="wp-image-17489" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/image-9-1024x763.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/06/image-9-300x223.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/06/image-9-768x572.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/06/image-9-1536x1144.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/06/image-9-2048x1525.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">The official website of the City of London presents an article on water consumption</figcaption></figure> <h4 class="wp-block-heading">The case of New York</h4> <p>New York is one of the largest cities in the world and, according to the city’s official portal<a href="https://www.nyc.gov/site/dep/news/22-013/rate-proposal-would-keep-cost-new-york-city-s-award-winning-tap-water-well-below-the" target="_blank" rel="noreferrer noopener">(NYC.GOV</a>), water consumption is said to be around 1,000,000 gallons. It should therefore be noted that:</p> <pre class="wp-block-preformatted">1 gallon = 3.78541 litres<br>1,000,000 gallons/day x 3.78541 = <strong>3,785,410,000 litres/day</strong></pre> <p>Reconsider what Dr. Balocco reported:<em>in 2025, the annual consumption of fresh water is estimated at 4.2 and 6.6 billion cubic metres to run A.I.</em> In essence, one year of cooling A.I. costs as little as one day’s consumption of New York and Rome combined.</p> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th>Cities</th><th class="has-text-align-center" data-align="center">Litres/day</th></tr></thead><tbody><tr><td>New York</td><td class="has-text-align-center" data-align="center">3.785.410.000</td></tr><tr><td>London</td><td class="has-text-align-center" data-align="center">2.600.000.000</td></tr><tr><td>Rome</td><td class="has-text-align-center" data-align="center">1.506.849.000</td></tr><tr><td>Milan</td><td class="has-text-align-center" data-align="center">630.000.000</td></tr></tbody></table><figcaption class="wp-element-caption">Estimated daily water consumption in litres</figcaption></figure> <p>Does it seem little? Does it sound sustainable? Bear in mind that a low-income country, according to information repeatedly published by the WHO and <a href="https://www.unicefusa.org/stories/unicef-helps-families-access-safe-water-drought-stricken-kenya" target="_blank" rel="noreferrer noopener">UNICEF</a>, lives on 20 litres of water per day.</p> <h2 class="wp-block-heading">Block-Chain and resource consumption</h2> <p>The other technology that has been the subject of much discussion in terms of energy consumption is the blockchain, and questions have been raised for years on the possibility of optimising such consumption. Below are some very simple calculations to estimate the energy consumption required for <em>mining</em> Bitcoin and Ethereum.</p> <h3 class="wp-block-heading">Bitcoin</h3> <p>Suppose we want to use a single high-performance ASIC miner based on the AntminerS19 Pro system. The average hourly consumption is 3,250 watts (or 3.25 Kw/h).</p> <pre class="wp-block-preformatted">Daily consumption: 3.25 kW/h x 24 hours/day = <strong>78 kWh/day</strong></pre> <p>A single system will therefore consume 78 kW in one working day. Imagine using 1,000 Antminer S19 systems and creating what is called a <em>mining-farm</em>, i.e. a multiple bitcoin production system, the result would be as follows.</p> <pre class="wp-block-preformatted">1,000 systems x 78kWh/day = <strong>78,000kWh/day (i.e. 78 MWh/day)</strong></pre> <h3 class="wp-block-heading">Ethereum</h3> <p>For Ethereum, imagine using an NVIDIA RTX 3080 GPU with a power consumption of about 300 watts (or 0.3 kW). The result would be:</p> <pre class="wp-block-preformatted">Daily consumption = 0.3 kW×24 hours/day = <strong>7.2 kWh/day</strong><br><br>1,000 GPU×7.2 kWh/day = <strong>7,200 kWh/day (i.e. 7.2 MWh/day)</strong></pre> <h3 class="wp-block-heading">Summing up consumption</h3> <p>Summarising the consumption estimate and trying to put it in an everyday context, we can state the following in the table.</p> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th>Type</th><th class="has-text-align-center" data-align="center">Energy required</th></tr></thead><tbody><tr><td>Bitcoin Farm from 1,000 AntMiner systems</td><td class="has-text-align-center" data-align="center">78 MWh/day</td></tr><tr><td>Ethereum Farm 1,000 GPU NVRTX3080</td><td class="has-text-align-center" data-align="center">7.2 MWh/day</td></tr></tbody></table></figure> <p>These are very significant consumption figures which, clearly, should be closely monitored. Considering the average energy consumption per capita and population, it is possible to estimate that:</p> <pre class="wp-block-preformatted">19,178 MWh/day consumed for Milan (pop. 1,400,000)<br>11,918 MWh/day consumed for Turin (pop. 870,000)<br> 5,014 MWh/day consumed for Florence (pop. 366,000)</pre> <p>Finally, to understand the energy consumption produced by Bitcoin Farms even better, one can consider the famous statistic that <strong>the entire Bitcoin network consumes 120 Terawatt hours (TWh) annually and Norway, again annually, consumes 124 Terawatt hours</strong> (Source: <a href="https://www.forbes.com/sites/niallmccarthy/2021/05/05/bitcoin-devours-more-electricity-than-many-countries-infographic/" target="_blank" rel="noreferrer noopener">Forbes</a>). This statistic may help to better understand.</p> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-center" data-align="center">Consumption in TWh/year</th><th class="has-text-align-center" data-align="center">Subject</th></tr></thead><tbody><tr><td class="has-text-align-center" data-align="center">124</td><td class="has-text-align-center" data-align="center">Norway</td></tr><tr><td class="has-text-align-center" data-align="center"><strong>120</strong></td><td class="has-text-align-center" data-align="center"><strong>Bitcoin Farm</strong></td></tr><tr><td class="has-text-align-center" data-align="center">120</td><td class="has-text-align-center" data-align="center">Holland</td></tr><tr><td class="has-text-align-center" data-align="center">83</td><td class="has-text-align-center" data-align="center">Belgium</td></tr><tr><td class="has-text-align-center" data-align="center">83</td><td class="has-text-align-center" data-align="center">Finland</td></tr><tr><td class="has-text-align-center" data-align="center">50</td><td class="has-text-align-center" data-align="center">Portugal</td></tr><tr><td class="has-text-align-center" data-align="center">34</td><td class="has-text-align-center" data-align="center">Denmark</td></tr></tbody></table><figcaption class="wp-element-caption">Data referring to 2021</figcaption></figure> <p>It is important to understand that energy production is not always based on renewable and ‘clean’ resources but, very often, produces the pollution and consumption necessary to generate the required energy.</p> <h2 class="wp-block-heading">Weighing, yes, but how?</h2> <p>Let us focus on artificial intelligence: the use of coolants and desalinators are certainly solutions but the more important question is <em>what do we use artificial intelligence for?</em> If one certainly wanted to be controversial, the use of AI for constructing memes with Gerry Scotti’s face, certainly, could be avoided while the use of such technology to optimise production cycles, medical research, energy consumption systems, is welcome. It is therefore a question of weighing its use carefully in order to avoid burdening the ecosystem with unnecessary causes, thereby fuelling its deterioration, but weighing is difficult when the technology is massified and can potentially have millions of applications (from the most useful to the most useless).</p> <p>The energy consumption generated by artificial intelligence could be counteracted by resource optimisation and, probably, by higher access costs, which companies, however, will want to avoid in order to prevent the barrier to entry to the technology and the reduction of the user base. <em>The</em> question therefore arises: <em>is the free use model of artificial intelligence, as we are currently experiencing it, really sustainable?</em></p> <p>It is worth asking these questions: the sustainability of these technologies cannot be at the expense of life on the planet, despite their convenience and efficiency.</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/06/24/technology-and-energy-consumption/">Technology and energy consumption</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>Artificial intelligence and online violence on animals and children</title> <link>https://www.edoardolimone.com/en/2024/06/16/artificial-intelligence-and-online-violence-on-animals-and-children/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Sun, 16 Jun 2024 21:06:00 +0000</pubDate> <category><![CDATA[Artificial Intelligence]]></category> <category><![CDATA[Intelligenza Artificiale]]></category> <category><![CDATA[Sicurezza Informatica]]></category> <category><![CDATA[Violenza in rete]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=17555</guid> <description><![CDATA[<p>After the analysis carried out in 2021 and reported in the article‘Videos of animal violence are increasing on the net‘, it was decided to return to the subject a few […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/06/16/artificial-intelligence-and-online-violence-on-animals-and-children/">Artificial intelligence and online violence on animals and children</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>After the analysis carried out in 2021 and reported in the article<em><a href="https://www.edoardolimone.com/2021/11/26/stanno-aumentando-sulla-rete-i-video-di-violenza-sugli-animali/" target="_blank" rel="noreferrer noopener">‘Videos of animal violence are increasing on the net</a></em>‘, it was decided to return to the subject a few years later to see how the situation has changed.</p> <span id="more-17555"></span> <h2 class="wp-block-heading">The phenomenon</h2> <p>The phenomenon described concerns the production of videos of violent deaths of all kinds of animals (dogs, cats, mice, insects, etc.); animals are filmed being killed using particularly brutal methods. For reasons of decorum, we prefer not to go into details, but it is important to understand that some of these methods are directly related to the sexual sphere and therefore the buyers of these videos seek a form of extreme excitement. The 2021 article reported that the phenomenon was on the rise, albeit confined within platforms that are difficult to control such as <em>peer-to-peer</em> platforms or forums that are not too well known. Unfortunately, the phenomenon has managed to penetrate within social networks in recent years, affecting a much wider audience.</p> <h2 class="wp-block-heading">Instagram: adults, children and animals.</h2> <p>Artificial intelligence is making it possible to create particularly complex virtual images that, in the case covered by this article, involve scenes of violence against animals. These images are mostly produced by East Asian countries and also involve people, not just animals. As long as the images turn out to be <em>artefacts</em>, it is considered that they are not a problem and this consideration should not be underestimated at all: the trend of generating certain images, in the months from January 2024 to June 2024 initially involved adults only, then images were created depicting scenes of violence against the elderly, then animals were used and finally also children. Entire instagram channels were created around these images, which, being in fact generated with artificial intelligence, are not considered ‘a danger’.</p> <figure class="wp-block-image aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="1008" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-ai-rat-1024x1008.jpeg" alt="" class="wp-image-17492" style="width:auto;height:400px" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-ai-rat-1024x1008.jpeg 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-ai-rat-300x295.jpeg 300w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-ai-rat-768x756.jpeg 768w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-ai-rat.jpeg 1170w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">An example of the first images produced</figcaption></figure> <p>Indeed, these images have the power to change the individual’s perception of violence, reducing the threshold of intolerance towards inappropriate content. If initially the images generated alluded to one or more sexual fantasies, which the viewer then had to realise in his or her mind, now the content has become much more explicit and much less imaginable. The change has been so gradual that many channel visitors have ‘got used to’ and have ‘liked’ the change in content by keeping the <em>following</em> despite it being highly inappropriate.</p> <h2 class="wp-block-heading">Why East Asia</h2> <figure class="wp-block-image aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="1009" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-child-1024x1009.jpeg" alt="" class="wp-image-17493" style="width:auto;height:300px" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-child-1024x1009.jpeg 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-child-300x296.jpeg 300w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-child-768x757.jpeg 768w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-child.jpeg 1170w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">One of the images featuring children</figcaption></figure> <p>Many of the contents portray Western models but many others depict East Asian figures: India is one of the countries most involved in the dissemination of these images. In many cases, for example, one finds artefacts recalling British supremacy over India, with scenes of domination and violence against Indians. These are contents developed precisely in India and realise fantasies of domination that are now also reflected on children. Of course, all these materials receive favourable comments with a few exceptions: one case in point was a photo in which a child is dragged by a leash tied to a car: the comments are quite explicit.</p> <figure class="wp-block-gallery has-nested-images columns-default wp-block-gallery-4 is-layout-flex wp-block-gallery-is-layout-flex"> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="969" height="1024" data-id="17494" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-car-969x1024.jpeg" alt="" class="wp-image-17494" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-car-969x1024.jpeg 969w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-car-284x300.jpeg 284w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-car-768x811.jpeg 768w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-car.jpeg 1134w" sizes="(max-width: 969px) 100vw, 969px" /></figure> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="913" data-id="17495" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-comment_02-1024x913.jpeg" alt="" class="wp-image-17495" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-comment_02-1024x913.jpeg 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-comment_02-300x268.jpeg 300w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-comment_02-768x685.jpeg 768w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-comment_02.jpeg 1037w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> </figure> <p>Again, it is an Indian channel that has produced the image, although the models have a western appearance. Background, car type and channel name (as well as the rest of the content) allude to India as the country of generation. Another example, appropriately censored, is the one below.</p> <figure class="wp-block-gallery aligncenter has-nested-images columns-default is-cropped wp-block-gallery-5 is-layout-flex wp-block-gallery-is-layout-flex"> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="1004" data-id="17496" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/image-2-1024x1004.png" alt="" class="wp-image-17496" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/image-2-1024x1004.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/06/image-2-300x294.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/06/image-2-768x753.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/06/image-2.png 1170w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="716" height="1024" data-id="17497" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Classroom_02-716x1024.jpeg" alt="" class="wp-image-17497" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Classroom_02-716x1024.jpeg 716w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Classroom_02-210x300.jpeg 210w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Classroom_02-768x1099.jpeg 768w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Classroom_02-1074x1536.jpeg 1074w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Classroom_02.jpeg 1170w" sizes="(max-width: 716px) 100vw, 716px" /></figure> </figure> <p>Often the characters in these images are recurrent: just as little Rahul is the sacrificial victim in several images, his teachers and stepmothers often retain the same names and ‘behavioural characteristics’ as if they were real people. This, among other things, makes it possible to estimate a preference as to which character the audience prefers.</p> <h2 class="wp-block-heading">Cultural influence</h2> <p>It will not have escaped notice that some of these images are set in school contexts: Indian culture attaches enormous importance to education and educators. Teachers are seen as second only to parents in the formation of character and the transmission of wisdom. This respect is often manifested on occasions such as the festival of ‘Guru Purnima’, a day dedicated to honouring gurus and teachers. These images thus have a strong cultural hold on the masses and hinge on an inherent discrimination in social roles.</p> <p>This discriminatory phenomenon, which is also carried out against social minorities (homosexuals, trans people) and other religions, was discussed in an <a href="https://indianexpress.com/article/technology/artificial-intelligence/racist-sexist-casteist-is-ai-bad-news-for-india-8934898/">article in the Indian Express</a> and deserves further investigation. The author of the article writes<em>: ‘It will directly affect people living on the margins: Dalits, Muslims, trans people. It will exacerbate prejudice and discrimination against them,’ said Shivangi Narayan, a researcher who has studied predictive policing in Delhi.</em>“</p> <p>Discrimination is thus researched and practised with surgical punctuality, thanks to the generation on command of artefactual images with strong socio-political significance.</p> <h2 class="wp-block-heading">Not only artificial intelligence</h2> <p>Unfortunately, the phenomenon went far beyond the creation of fabricated images and went as far as the publication and dissemination of paid videos with violence on animals.</p> <figure class="wp-block-image aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="795" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-rat-1024x795.jpeg" alt="" class="wp-image-17498" style="width:auto;height:300px" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-rat-1024x795.jpeg 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-rat-300x233.jpeg 300w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-rat-768x596.jpeg 768w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-rat.jpeg 1170w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">The video was promoted on Instagram</figcaption></figure> <p>This is the case of the video against two poor guinea pigs, advertised on Instagram within an artificial intelligence image generation channel. The video is as real as the two guinea pigs whose end is all too apparent. Do not miss the detail of the message, the price of which is 500 Indian rupees. Bear in mind that 500 Indian rupees are, at the time of writing this article, 5.58 euros, which makes it possible for anyone to access these videos and double the offer by asking for more.</p> <figure class="wp-block-gallery aligncenter has-nested-images columns-default is-cropped wp-block-gallery-6 is-layout-flex wp-block-gallery-is-layout-flex"> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="1008" data-id="17499" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Myg-1024x1008.jpeg" alt="" class="wp-image-17499" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Myg-1024x1008.jpeg 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Myg-300x295.jpeg 300w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Myg-768x756.jpeg 768w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Myg.jpeg 1170w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="723" height="1024" data-id="17500" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Myg_02-723x1024.jpeg" alt="" class="wp-image-17500" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Myg_02-723x1024.jpeg 723w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Myg_02-212x300.jpeg 212w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Myg_02-768x1088.jpeg 768w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Myg_02-1084x1536.jpeg 1084w, https://www.edoardolimone.com/wp-content/uploads/2024/06/Insta-Myg_02.jpeg 1170w" sizes="(max-width: 723px) 100vw, 723px" /></figure> </figure> <p>The second photo case is that of <em>Myg</em> (fictional name): a young girl who is portrayed in various positions by someone very close to her, only to be taken out of context and placed in a scenario of child domination. These are literal <em>photo montages</em> in which Myg enjoys performing acts of domination against her peers or adults and the elderly. The problem with the Myg case is that there are not only photographs but also videos in which the little girl, for instance, steps on teddy bears or other soft toys and the phone is held directly by her. In the Myg case, the origin would seem to be the West and not the East.</p> <h2 class="wp-block-heading">Algorithms don’t work: you have to report</h2> <p>The censorship algorithm has not worked and is not working properly: although in this article it has been decided not to publish even censored images, please believe that there are hundreds of fabricated images of violence against minors. This is a trend that should not be underestimated and shows how ineffective the automatic moderation systems that have allowed increasingly extreme content to flourish over the past 6-7 months are.</p> <p>In a discussion held with my friend Andrea Lisi some time ago, we were discussing censorship algorithms and how they, although helpful, were completely ineffective to operate on their own. They certainly represent an economic saving for social network companies, but their level of inefficiency is equal to the damage caused by the publication of content. Widespread moderation (that carried out through user reporting) remains a last line of defence but has little impact considering that the most impressive users prefer to ‘leave’ the social channel without reporting.</p> <figure class="wp-block-image aligncenter size-full is-resized"><img loading="lazy" decoding="async" width="591" height="1025" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/WARealChild.jpg" alt="" class="wp-image-17501" style="width:428px;height:auto" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/WARealChild.jpg 591w, https://www.edoardolimone.com/wp-content/uploads/2024/06/WARealChild-173x300.jpg 173w" sizes="(max-width: 591px) 100vw, 591px" /></figure> <p>Reports on Instagram have had no effect, and a few days ago, artificial intelligence was joined by ‘videos on demand’ using live children. The size of the screenshot seems to help estimate a hypothetical duration of 6-10 minutes for videos compressed in H.264 at 1080p resolution.</p> <h2 class="wp-block-heading">Monitoring Case U-1605</h2> <p>Case U-1605 concerns an individual who, according to initial analysis, resides in India and sells child pornography on Telegram by advertising on Instagram. The user is averagely active and offers the distribution of hundreds of videos for only USD 15 (approximately Rs 1,200 in July 2024). Many of these videos are less than a minute long and from the previews they do not all appear to have sexual content. Most, however, run between four and 11 minutes and are in line with the above. There are also specific videos of the size of 15 to 20 minutes in which minors of 8 to 10 years are involved, in scenes that could endanger their health and even their lives (e.g. by choking by crushing their throats with weights four times their own).</p> <p>It was decided to carry out a statistical monitoring of the channel in order to show the growth trend and a number of parameters were examined, including:</p> <ul class="wp-block-list"> <li>The number of members</li> <li>The number of published photos</li> <li>The number of videos published</li> </ul> <p>A monthly monitoring of the trend was started in order to understand the ‘level of interest’ users find in the channel. All information will be published at the bottom of the article. A clarification must be made about the monitoring system adopted by Telegram: Telegram’s current rules do not speak of paedophile-pornographic violations on content exchanged between users. The violation is described as follows:</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>All Telegram chats and groups are the private territory of their respective participants. We do not make any requests relating to them. However, sticker sets, channels and bots on Telegram are publicly available. If you find any sticker sets or bots on Telegram that you think are illegal, please contact us at abuse@telegram.org. […]</p> <cite>Source: Telegram<a href="https://telegram.org/faq/it">(Link</a>)</cite></blockquote> <p>Frankly, it would seem that Telegram is more concerned with copyright infringement than with preventing the dissemination of paedophile material.</p> <h2 class="wp-block-heading">Conclusions</h2> <p>To generate these images is very easy, to think of realising them in real life is almost impossible. Easy access to such powerful tools can favour the development and dissemination of extreme content even if not directly related to a sexual sphere. The fact that they are artefactual images, even of high graphic resolution, can complicate the problem.</p> <p>The hope for widespread moderation wanes when the algorithmic part is not taken care of enough to facilitate the first skimming and censoring of inappropriate content. This will have to be taken care of in the years to come, to prevent the network from deteriorating further and becoming a widespread reservoir of extreme and inappropriate content.</p> <p>It is important not to demonise a useful and powerful technology such as artificial intelligence, which remains a fundamental tool for technological development and the improvement of life. It was foreseeable that there would be cases of its use for unlawful or harmful purposes, but this should not prevent its development, but rather better regulate its application.</p> <p>In the writer’s opinion, the real problem in the dissemination of these images is attributable to two phenomena: the first concerns the hypocrisy of social censorship mechanisms which, for a statue’s naked breasts, issue a censure but then do not want to/cannot censor phenomena such as those documented and discussed so far.</p> <p>The second phenomenon, dramatically more worrying, is the mechanism of habituation to these images. As they become more frequent, widespread, shared, they will arouse less and less concern, outrage, fear, disapproval, making the (already widespread) phenomenon more ignored than it already is.</p> <hr class="wp-block-separator has-alpha-channel-opacity" /> <h2 class="wp-block-heading">Case Updates U-1605</h2> <h3 class="wp-block-heading">June 2024: development of the Telegram channel</h3> <p>Following reports on Instagram, the channel was closed, but the user subsequently opened a second one with a Telegram group. This was in June 2024. The group soon grew in number from 23 initial users to more than 1,500 within about a month. Statistical data in graphical and tabular form are published below.</p> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-center" data-align="center">Date</th><th class="has-text-align-center" data-align="center">Inscribed</th></tr></thead><tbody><tr><td class="has-text-align-center" data-align="center">15/06/2024</td><td class="has-text-align-center" data-align="center">23</td></tr><tr><td class="has-text-align-center" data-align="center">26/07/2024</td><td class="has-text-align-center" data-align="center">1575</td></tr></tbody></table><figcaption class="wp-element-caption">Table containing the activity trend data of user U-1605’s Telegram channel</figcaption></figure> <h3 class="wp-block-heading">July 2024: closing and reopening Telegram channel</h3> <p>On 26/07/2024, the Telegram channel of user U-1605 was deleted from Telegram after the administrator had published some illegal photographs and videos in the days before. It is impressive to note how, a little over a month later, there has been a vertiginous growth in users.</p> <p>Following the closure of the channel, another but not secret channel was immediately opened. Initially only fed with images generated by I.A. with scenes of violence against minors. This channel, whose administrator signs himself with a golden trident, has only 19 members as of 26/07/2024 at approx. 21:50 hours.</p> <figure class="wp-block-image aligncenter size-full"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/06/U1605-Screenshot-2024-07-26-alle-22.00.43.png"><img loading="lazy" decoding="async" width="475" height="642" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/U1605-Screenshot-2024-07-26-alle-22.00.43.png" alt="" class="wp-image-17502" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/U1605-Screenshot-2024-07-26-alle-22.00.43.png 475w, https://www.edoardolimone.com/wp-content/uploads/2024/06/U1605-Screenshot-2024-07-26-alle-22.00.43-222x300.png 222w" sizes="(max-width: 475px) 100vw, 475px" /></a></figure> <p>The user is the owner of several accounts: the purchase message shown under the collection of images is the same as the one that appears for real child pornographic films.</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/06/16/artificial-intelligence-and-online-violence-on-animals-and-children/">Artificial intelligence and online violence on animals and children</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> <item> <title>What is DWELL TIME in cybersecurity</title> <link>https://www.edoardolimone.com/en/2024/06/09/what-is-dwell-time-in-cybersecurity/</link> <dc:creator><![CDATA[Edoardo Limone]]></dc:creator> <pubDate>Sun, 09 Jun 2024 21:42:30 +0000</pubDate> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Ransomware]]></category> <category><![CDATA[Sicurezza Informatica]]></category> <guid isPermaLink="false">https://www.edoardolimone.com/?p=17646</guid> <description><![CDATA[<p>It is a term little known to the uninitiated, but dwell time is perhaps one of the most important elements to know for those working in cybersecurity. What is dwell […]</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/06/09/what-is-dwell-time-in-cybersecurity/">What is DWELL TIME in cybersecurity</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></description> <content:encoded><![CDATA[<p>It is a term little known to the uninitiated, but <em>dwell time</em> is perhaps one of the most important elements to know for those working in cybersecurity.</p> <span id="more-17646"></span> <h2 class="wp-block-heading">What is <em>dwell time</em> in cybersecurity</h2> <p>The English term <em>dwell</em> <em>time</em> literally means <em>dwell</em> <em>time</em> or more correctly <em>dwell</em> <em>time</em> (the word <em>dwell</em> means <em>to stay</em>). It is therefore a generic term that can be used in various operational fields such as, for example, in marketing strategies and cybersecurity.</p> <p>In the field of <em>cybersecurity</em> (or <em>cybersecurity</em> as per EU Directive 2022/2555), the term <em>dwell time</em> is fundamental and identifies the time interval between the infection of a system by a threat, to its actual detection. The security company Checkpoint has provided a useful <a href="https://blog.checkpoint.com/artificial-intelligence/ai-and-automation-in-the-race-to-reduce-attack-dwell-time/" target="_blank" rel="noreferrer noopener">definition</a> of <em>dwell time</em>, describing it as follows:</p> <pre class="wp-block-verse">Attack dwell time, the interval between an initial breach and its detection, is a crucial metric in cybersecurity. The longer attackers go undetected, the more damage they can inflict.<br><br>Attack dwell time, the interval between an initial breach and its detection, is a crucial metric in cybersecurity. The longer attackers go undetected, the more damage they can inflict.</pre> <h2 class="wp-block-heading">Why dwell time is important</h2> <p>The dwell time is important for a number of reasons: first of all, it represents a critical moment in the infection cycle in a multi-staging attack. It is an ‘unguarded’ moment, when security systems often fail to perceive the threat. Checkpoint itself explains very clearly that Security Orchestration, Automation and Response (SOAR) platforms, which are responsible for organising and responding to incidents, often remain inert because they do not detect the threat at this very early stage.</p> <p>During these early moments, the threat begins to <em>compose itself</em> and thus begins to assume what will later be the most threatening and devastating configuration expressed by the malicious programme. The reason why SOAR platforms fail, according to Checkpoint, is because<em>‘these systems often operate within isolated data silos, leading to fragmented visibility and delayed responses</em>‘. Then there are other issues related to the volume of alerts that, even captiously, could lead SOC team experts to underestimate or ignore those that are actually real.</p> <p>Checkpoint also emphasises the usefulness of artificial intelligence support in managing these phenomena and supporting SOC teams as it<em>“enables faster and more accurate detection and response, harnessing the power of AI and automation to improve TDIR</em> (Threat Detection and Incident Response)<em>processes</em> “. This was the subject of a lecture at MEDDLE held in Milan and an <a href="https://www.edoardolimone.com/2024/05/26/intelligenza-artificiale-e-integrita-dei-dati/" target="_blank" rel="noreferrer noopener">article you can read here.</a></p> <h2 class="wp-block-heading">Dwell Time and Attack Phases</h2> <p>To get a good understanding of <em>where</em> <em>dwell time</em> fits into a data breach, please refer to the diagram below. Imagine a normal ransomware attack:</p> <ul class="timeline wp-block-list"> <li><strong><span style="text-decoration: underline">Step 1</span></strong>: The hacker starts the <em>exploitation</em> and <em>installation</em> phases of the malicious applications.</li> <li><strong><span style="text-decoration: underline">Step 2</span></strong>: The hacker gains control over the system and starts the exfiltration phase.</li> <li><strong><span style="text-decoration: underline">Step 3</span></strong>: The hacker starts the data encryption/deletion activity.</li> </ul> <p><em>Dwell</em> <em>time</em> corresponds to the entire phase two, which is why the more correct translation is <em>dwell time.</em> The hacker remains inside the system throughout phase two by implementing the <em>command and control</em> policies necessary to manage it and exfiltrate files; during this phase, his activity is silent, often invisible but constant.</p> <p>In phase 3, however, there is evidence of the attack: the files are rendered inaccessible and this is noticed by all the operators and not just the members of the SOC team. One could say that ‘it’s too late now’, the hacker has already got everything he needed (control of the system and the files).</p> <h2 class="wp-block-heading">Managing dwell time</h2> <p>The National Institute of Standards and Technology (NIST) has published an interesting document created by the company Mandiant and entitled ‘Using Metrics to Mature Incident Response Capabilities’<a href="https://www.nist.gov/system/files/documents/2016/09/16/mandiant_rfi_response.pdf">(link</a>)<a href="https://www.nist.gov/system/files/documents/2016/09/16/mandiant_rfi_response.pdf">.</a> It is worth noting that the document is not up-to-date, in fact it is rather dated (09 April 2014), but it does contain interesting information to think about and answers one question: is it possible to parameterise using the DRAIN CVR model. This is an acronym that means:</p> <ul class="wp-block-list"> <li><strong>Detect</strong></li> <li><strong>Review</strong></li> <li><strong>Analyze</strong></li> <li><strong>Identify</strong></li> <li><strong>Notify</strong></li> <li><strong>Collect</strong></li> <li><strong>Validate</strong></li> <li><strong>React</strong></li> </ul> <p>According to Mandiant, dwell time management must be realised through specific activities aimed at performing the actions described above. The diagram below can help to better understand the methodology proposed by Mandiant.</p> <figure class="wp-block-image aligncenter size-large"><a href="https://www.edoardolimone.com/wp-content/uploads/2024/06/immagine.png"><img loading="lazy" decoding="async" width="1024" height="279" src="https://www.edoardolimone.com/wp-content/uploads/2024/06/immagine-1024x279.png" alt="" class="wp-image-17642" srcset="https://www.edoardolimone.com/wp-content/uploads/2024/06/immagine-1024x279.png 1024w, https://www.edoardolimone.com/wp-content/uploads/2024/06/immagine-300x82.png 300w, https://www.edoardolimone.com/wp-content/uploads/2024/06/immagine-768x209.png 768w, https://www.edoardolimone.com/wp-content/uploads/2024/06/immagine-1536x418.png 1536w, https://www.edoardolimone.com/wp-content/uploads/2024/06/immagine.png 1558w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption">DRAIN CVR model from Mandiant</figcaption></figure> <p>In Italian, we could adapt the DRAIN CVR model as follows:</p> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-center" data-align="center">ENGLISH</th><th class="has-text-align-center" data-align="center">ITALIAN</th></tr></thead><tbody><tr><td class="has-text-align-center" data-align="center">Detect</td><td class="has-text-align-center" data-align="center">Determination</td></tr><tr><td class="has-text-align-center" data-align="center">Review</td><td class="has-text-align-center" data-align="center">See</td></tr><tr><td class="has-text-align-center" data-align="center">Analyze</td><td class="has-text-align-center" data-align="center">Analyses</td></tr><tr><td class="has-text-align-center" data-align="center">Identify</td><td class="has-text-align-center" data-align="center">Identify</td></tr><tr><td class="has-text-align-center" data-align="center">Notify</td><td class="has-text-align-center" data-align="center">Notification</td></tr><tr><td class="has-text-align-center" data-align="center">Collect</td><td class="has-text-align-center" data-align="center">Collect</td></tr><tr><td class="has-text-align-center" data-align="center">Validate</td><td class="has-text-align-center" data-align="center">Valid</td></tr><tr><td class="has-text-align-center" data-align="center">React</td><td class="has-text-align-center" data-align="center">React</td></tr></tbody></table><figcaption class="wp-element-caption">Hypothesis of translation of the DRAIN CVR model into Italian</figcaption></figure> <p>It is also important to note that Mandiant divided the DRAIN moment from the CVR moment: the former is composed of investigation and reporting actions that belong to the dwell time. The second involves containment activities.</p> <h2 class="wp-block-heading">How long can a dwell time last?</h2> <p>There are very interesting cases of extremely long-lived data breaches, and those who claim that the dwell time only lasts a few days or even hours are simply wrong. In the article<a href="https://medium.com/secjuice/controlling-dwell-time-its-about-much-more-than-compliance-23a2149e590e" target="_blank" rel="noreferrer noopener">‘Breach Detection | Controlling Dwell Time Is About Much More Than Compliance</a>‘ by R. MacMillan it is written<em>‘according to the latest M-Trend reports <strong>, the average global dwell time is 99 days</strong>. The EMEA and Asia-Pacific regions fare even worse, <strong>averaging 106 days for Europe, the Middle East and Africa, rising to 172 days in Asia</strong></em>.”</p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p>The class action brought against Noodles & Co last year was based in part on the company’s liability for allowing malware to persist undetected for such a long period of time, in which case the dwell time was about five months.</p> <cite>Source: ‘Breach Detection | Controlling Dwell Time Is About Much More Than Compliance’ by R. MacMillan</cite></blockquote> <p>It is therefore important to realise that the<em>dwell time</em> is a critical issue in cybersecurity management.</p> <h2 class="wp-block-heading">Configuration inconsistencies</h2> <p>If, therefore, on the one hand there is a need to intervene on the platforms, adopting the most advanced, sophisticated and responsive ones, on the other hand there is an obligation to ask oneself some questions regarding <em>configuration control</em>. The recent measures of the Data Protection Authority (e.g. <a href="https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10002324" target="_blank" rel="noreferrer noopener">10002324</a> on the company LazioCrea S.p.A., or the <a href="https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10002287">10002287</a> on the Lazio Region, or the <a href="https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9941232" target="_blank" rel="noreferrer noopener">9941232</a> on the ASL Napoli 3 Sud) show how little attention is paid to the basic rules of computer security. <em>Traffic filtering</em> rather than <em>network segmentation</em> is the basis for any IT infrastructure and its absence will not make the work of security systems any easier.</p> <p>Not to mention that, very often, the aforementioned security systems are installed in ecosystems that are dated, outdated or even already compromised by threats present on the servers. Under such conditions, it therefore becomes difficult, if not impossible, to obtain results that are at least appreciable. There is therefore a basic inconsistency: I cannot guarantee the security of systems if they are badly configured or operate at too low or insufficient security.</p> <h2 class="wp-block-heading">Conclusions</h2> <p>Dwell time is a problem, especially since the actions carried out by the hacker during this period are not always such as to prompt the activation of security measures. It is therefore essential to have, on the one hand, well-functioning systems and, on the other hand, correct control mechanisms (both on a technical and operational-methodological level) without which it is almost impossible to achieve satisfactory results. Artificial intelligence is undoubtedly able to support monitoring and identification activities, not so much of the individual behaviours carried out by the hacker, but of the results from these that could be problematic.</p> <p>L'articolo <a href="https://www.edoardolimone.com/en/2024/06/09/what-is-dwell-time-in-cybersecurity/">What is DWELL TIME in cybersecurity</a> proviene da <a href="https://www.edoardolimone.com/en/elementor-17618">Edoardo Limone</a>.</p> ]]></content:encoded> </item> </channel> </rss>