Data Breach: a short and clear recap of new duties, responsibilities and fines after the New European Regulations GDPR

How a company should behave if suffering a Data Breach, according to the new General Data Protection Regulation (GDPR)? How should it do it and in which time? What are the liabilities and what sanction does it incur in if it does not behave accordingly?

We had a “Word of the Day” about Data Breaches recently, and our curiosity about the topic arose quickly on what a company should do, also from a juridical perspective, in case it is victim of an IT violation and what are its liabilities according to European Regulation 2016/679 which will become effective in a few months and it’s worth preparing for it. 

Read more ...

GFI LanGuard: network security scanner and patch management

Properly keeping an IT infrastructure updated is a costly and weary activity: GFI’s LanGuard is a product conceived to structure and automate management process in a complete safety.

An example how dangerous is to have non updates systems is clearly shown by the very recent wave of infections by WannaCry, the ransomware that -albeit being targeted to a restricted number of users (they could have been way more had some remedies not been found promptly)- attacked Microsoft-based infrastructures in more than 150 countries. The ransomware exploited the EternalBlue vulnerability, which is available only on non-patched version of the operating system. Yet imagine what the outcome would have been if it targeted all Windows systems.

Read more ...

Wordpress Security

According to W3Techs, WordPress is used in 28,1% of the existing Internet websites, and it accounts for 59% of those based on a CMS (Content Management System), and the adoption rate is ever increasing. These numbers alore are enough to understand the great diffusion of WordPress: its easy installation and customization make it suitable to several use cases, eCommerce shop included.
But such popularity brings a downside: it’s one of the most attractive platforms to hackers. Luckily damages of an hacking attack can be prevented and limited with techniques and best practices that we will discuss in this article.

Read more ...

Protecting IoT devices

How to protect IoT devices connected to the Internet and keep them secure

IoT is the acronym of Internet of Things, and this term defines a network where devices, sensors, objects, people and animals are equipped with a univocal ID and are capable of exchanging data through the Internet without needing a direct man-machine interaction. The idea was born from the convergence of wireless technologies and the availability of sensors and tools that are more and more small, evoluted and cheap.

This is what we wrote about IoT in our “Word of the Day” column.

On a practical side, IoT is made up by all devices connected to the Internet, and the list is very extended, as we can infer from a quick search on Shodan, the research engine for IoT devices.
A consequence of being connected to the Network is the chance of being hacked, which is not remote at all: the risk is about devices being infected and added to a botnet used for illegal stuff, like DDoS attacks, malware distribution, spam campaigns and things like these.

Read more ...

WannaCry: an analysis of a vicious ransomware attack

In the middle of May we witnessed an event that could have been described as a normal ransomware attack, yet it turned out to have an incredible impact: we’re talking about WannaCry.

In a few hours, this ransomware infected thousands of computers and knocked out several infrastructures before being limited. Let’s analyze what happened and why it was an attack particular in its genre and, under certain aspects, even disturbing.


Read more ...

Security Bulletin - May 2017

DDoS attacks and botnets

Rakos botnet grows but remains dormant
The Rakos botnet grows but remains inactive, Morphus Labs’ Renato Marinho says.
Rakos adds 8.000 new zombie IoT each day, and continues to evolve: it now has a P2P structure. Some bots act as a (Command & Control) called Skaros, while other act as “slaves” -Checker- and launch SSH attacks to targets to add them to the botnet.
Today Rakos is composed by IoT devices as Raspberry PI (45%), OpenELEC on Raspberry PI (22%), Ubiquiti wireless access points (16%) and other.
As of now, the only remedy to the malware is to reboot the IoT device and use strong SSH credentials.
Marinho defines the botnet as “transient”: bots don’t remain as such indefinitely but only until a reboot. The force of the botnet lies in the number of bots available each day -almost 8.000- which is enough to launch an impactful DDoS attack.

Shodan launches new tool to find C&C servers
Shodan launches Malware Hunter, a tool specifically conceived to find Command and Control (C&C, sometimes C2) servers, ie servers belonging to a botnet that send commands to zombie members of the net and act as malware download center.
Malware Hunter works thanks to bots that scan the Network looking for computer configured to act as a C2 server; bots then use a predefined mode pretending to be an infected computer and communicate with the suspected C&C server: if it replies, Malware Hunter records data and makes it available with its powerful graphical tool.

Read more ...

IT Security Bulletin - April 2017

DDoS attacks and botnets

Mirai botnet launches DDoS attack toward US college

At the end of March Incapsula researchers discovered a DDoS attack aimed to an UN college.
The attack lasted 54 hours and generated an average of 30.000 requests per second with a peak of 37.000 and a total of 2.8bln requests; such number can KO most devices on the network.
Less than a day after the first attack, a second one happened, but this time with a lower impact: it lasted a little bit more than an hour and a half and RPS were 15.000, on average.

The attack shows a probable new version of the Mirai botnet, as the dimensions of the attack itself and used agent users show; it had an impact on the application level rather than on the network layer.

9.793 different IP addresses (from the US, Israel, Taiwan, India, Turkey, Russia and Italy) belong to Internet of Things devices like CCTV cameras, router and DVRs; in particular, 56% of the devices belongs to a DVR model of a single manufacturer.

Read more ...

IT Security Bulletin - July 2017

DDoS attacks and botnets

Linux.MulDrop14 targets Raspberry-PI devices for cryptocurrencies mining
Dr.Web researchers discovered a malware, called Linux.MulDrop14, which targets Raspberry PI devices, the popular single board computer, adding them to a botnet that mines for cryptocurrencies.
In this case devices which still have default credentials and are reachable via SSH from the outside are vulnerable: the malware installs on the device, changes the access password and adds some packages, including libraries to start mining, ZMap to scan networks for vulnerable devices and sshpass to login on any found device.
Once infected, the only way to delete the malware is reinstalling the whole operating system. Naturally default passwords must be changed.

Read more ...

Trend Micro and the threats of cyber espionage: actual and future trends

The second edition of the Security Barcamp organized by Trend Micro proves to be a very interesting meeting about IT related topics, both on a worldwide and on a more Italian-focused scale.

TM logo newtag stack 4c

Rik Ferguson, Trend Micro Vice-President, was the special guest of the event and, in an extended speech, he spoke about the three main threats in the IT field of the moment and which will be in the future.
The most important threat is ransomware for sure. The phenomenon boomed in 2015 and experienced a 400% growth in terms of attack typologies and available families during the following year. The new trend is to refine and improve the attacking techniques with a particular focus on selected business targets (whose data have an important value and can justify the payment of the ransom) and social engineering, which is at the basis of these attacks.

Read more ...

IT Security Bulletin - January 2017

DDoS attacks and botnets

Rakos, the new botnet that attacks Linux systems

ESET researchers published an article which explain how a botnet, called Rakos, is developing by infecting Linux servers and IoT devices through SSH attacks. The Mirai botnet, as a comparison, acts via Telnet, albeit a few attacks via SSH.

The first traces of Rakos date back to August 2016 and increased in the next months: the far is that the botnet, which is not active at the moment, is in the making and will sooner or later start DDoS attacks.

ESET researchers have understood how Rakos works: first it access to a Linux server via SSH with a brute force attack and creates folder with names such as .javaxxx, .swap, or kworker and where it works from.

Read more ...

Safer emails and Web sites: get protected with SSL/TLS certificates

Here’s how to use SSL/TLS, S/Mime, certificates and public key cryptography in order to make Web services and email communications safer

Despite several technologies related to SSL/TLS protocols being attacked in the last 3 years, a good sysadmin or IT manager in 2016 can’t tolerate its organization still uses systems that transmit information in clear.
The use of Transport Layer Security (and its predecessor SSL) -it should be clear- it not enough to guarantee confidentiality of transmitted data on the Internet, and a quick bibliographic research shows the vast method of attacks to such protocols (like in this case and this other). TLS represents a first, fundamental security level for transmitted data, both for the access of a Web service of your company and the access to email via Webmail or IMAP/POP3/Exchange.
TLS acts as a tunnel and doesn’t modify the ongoing communication between client and server: it only adds a layer, indeed, that ciphers data between the source and the destination by using some key concepts at the basis of public key cryptography. Who has a server role needs a certificate, released by a certification authority or, in the worst case, self-signed: only who has purchased the certificate owns the private key that allows to encrypt the communication.

startssl startcom tool

Read more ...

Anti-ransomware toolkits - How to fight Cryptolocker & Co

In the previous issues of GURU advisor we have dedicated article and in-depth analysis, like the one on the April 2016 issue, to the phenomenon of crypto-lockers. This plague isn’t showing any sign of slowing down and, if on one hand we have some good news (like the release of the code to decrypt data ciphered by TeslaCrypt), on the other hand new threats arise each week. For instance RAA, developed with JavaScripts and distributed via email as attached .doc file. Despite making it unharmful by disabling the Windows Script Host feature (and, subsequently, the execution of scripts), in practice RAA is another threats to your data. In this article we’d like to widen our knowledge by talking about specific tools to fight ransomware.
Prevention with backups, data protection, etc, still is the best tool at the disposal of users, of course.

A quick recap

There is a large number of tools we’ve already introduced you, so let’s recap them briefly.

  • CryptoPrevent by FoolishIT sets Group Policy that prevent some ransomware from being installed.
  • TeslaDecoder by BloodDolly decrypts files hit by TeslaCrypt (up to version 4).
  • BitDefender offers a tool against Linux Encoded (a ransomware that hits Linux systems) and a vaccine for CTB-Locker, Locky and TeslaCrypt called BD Antiransomware.
  • Malwaresbytes Anti-Ransomware, formerly known as CryptoMonitor, blocks CryptoWall4, CryptoLocker, Tesla, and CTB-Locker, but it’s still in beta phase.
  • Third Tier Ransomware Prevention Kit contains a set of Group Policy, filters, whitelist, settings, documents and much more to prevent infections from ransomware.

id ransomware

Once hit by a ransomware, the first fundamental step is to discover which crypto-ransomware is responsible for the attack. To do that, the ID Ransomware service by MalwareHunterTeam is particularly effective. By uploading an infected sample file, it identifies the type of ransomware from a pool of 103 different types available in the database. ID Ransomware doesn’t decrypt any file, it lets you know the exact nature of the ransomware attack.

Read more ...

Virus, Ransomware and other Malware: legal implications and consequences

Perhaps you did underestimate them, but all virus, and in particular, the more recent Ranswomare that steal your data and ask for a ransom, are against the law. Let’s see how to behave, and let’s understand when and if filing a complaint.

As a technician, expert, IT manager or consultant you’ve maybe given advice to your colleagues, friends and clients by facing legal questions related to the IT world with a practical approach, using some common sense. Unfortunately that could not be the best way to follow, at least if you want to avoid risks, damages or consequences on your activity.

Warning: while the reflections contained in this article apply to Italian law, they may or may not apply to other laws. Each specific italian term is specified in parenthesis for a better understanding.

All malware -that is, harmful software that snake into computers and IT systems to steal information, open ports for remote control and other perils, or encrypt data with an extortion aim- clearly violate the italian juridical system and who spreads them commits a crime which is subject to sanctions according to our penal code (codice penale, c.p.). In particular, there is not only an abusive access to an IT or telematic system (ex art.615 ter c.p.), but also the diffusion of devices or programs with the specific fraud (that is, consciously) of damaging, interrupting or altering any IT or telematic system, and we can also face the criminal hypothesis of art.615 quinquies c.p.; if a “damagement of information, data and programs” is present, the crime is condemned by art.635 bis c.p. with a basic punishment of detention for 6 months to 3 years, complaint presented, with respect to art.124 c.p., within 3 months to the news of the crime (otherwise, prosecution cannot be advanced).

But things worsen if we deal with the recent threats brought by ransomware, virus that encrypt files and ask for a ransom in order to have decryption keys. In this case it’s a crime, still not specified in the IT world, of extortion, which is regulated by art.629 c.p., in accordance with the indications given by the Ministry of Justice (Ministero della Giustizia). The crime of extortion if committed by “whoever, by means of violence or threat, obliging someone to do or omit something, gains himself or others an unfair profit with damage to a third party.” From that it would derive stricter penalties to the responsibles (basic penalty is detention from 5 to 10 years and a fine from 1.000 to 4.000€), in addition the crime to being prosecutable ex officio. Moreover, it would also derive, from the transfer of money of the ransom payment, the crime of laundering (riciclaggio) ex art.648 bis c.p. in charge to who has received and “used” money.

How to behave if hit by malware or ransomware?

Read more ...

TeslaCrypt defeated: the universal decrypt key has been released - Here's what to do

With a coup de théâtre like in a spy movie, the developers behind the feared TeslaCrypt ransomware finally decided to end its development and diffusion project and openly published an universal key to decrypt files.

In an article on last month’s issue we dealt with the ransomware phenomenon: TeslaCrypt is for sure one of the most feared and widespread virus of this kind. Luckily, we have a good news: an universal decryption key is available and ready to be used by those who have been infected by this virus.

A researcher of Eset -the renown software house that develops the Eset antivirus- contacted the developers of TeslaCrypt with the support chat of the ransom payment portal and, pretending to be an user hit by the ransomware, asked for a decryption key. With his uttermost surprise, he was delivered with the universal alphanumeric decryption key. Naturally a proper tool is needed in order to use such key, and this problem has been solved too: the developer BloodDolly, who released months ago his TeslaDecoder tool to decrypt files hit by the first versions of TeslaCrypt (1.0 and 2.0), updated his tool so it can now decrypt files created by versions 3.0 and 4.0 of the dangerous ransomware (the ones with extensions .xxx, .ttt, .micro, .mp3 or even without any extension at all).


Read more ...

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...


The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...


The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...


Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...


In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

Read also the others...

Download of the Day


Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...



Fiddler is a proxy server that can run locally to allow application debugging and control of data in...


Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.


DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...


SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

All Download...

Issues Archive

  •  GURU advisor: issue 21 - May 2019

    GURU advisor: issue 21 - May 2019

  • GURU advisor: issue 20 - December 2018

    GURU advisor: issue 20 - December 2018

  • GURU advisor: issue 19 - July 2018

    GURU advisor: issue 19 - July 2018

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1