La relazione descrive le attività di penetration testing condotte in ottemperanza all'incarico conferito dal direttore dell'Istituto di Informatica e Telematica del CNR (IIT-CNR), con l'obiettivo di valutare la sicurezza delle risorse informatiche presso l'IIT-CNR (sede di Pisa), al fine di prevenire potenziali impatti negativi derivanti dalle minacce cibernetiche.

Optimal Quality of Service (QoS) and efficient traffic management in 5G Non-Terrestrial Networks (NTNs) rely on the effective orchestration of communication between the various network elements. Through real-time monitoring of the 5G infrastructure, we can derive signi

This document serves as a comprehensive overview of the 5G research infrastructure developed for the TRANTOR project, a 3-year initiative nanced by the HORIZON EUROPE program that concentrates on the forward trajectory of 5G Non-Terrestrial Network (NTN) evolution, heading towards 6G systems. The goal of the infrastructure is to facilitate and deeply investigate the Quality of Service (QoS) and traffic management in NTN associated with 5G systems and to develop new functionalities as foreseen by the TRANTOR project. The experimental network infrastructure is based on the open-source free5GC project, further complemented by a standalone implementation of a 5G RAN (Radio Access Network, also known as gNodeB) and multiple 5G UE (User Equipment) using UERANSIM, an open source state-of-the-art 5G UE and gNodeB simulator. Detailed overview and use cases of the deployed 5G infrastructure are also described.

The rapid advancements in Low Earth Orbit (LEO) satellite technologies promise high bandwidth and lower costs, making them crucial components for the future 6G networks. However, these orbits introduce a range of challenges not present in traditional Geosynchronous Orbit (GEO) systems, such as mobility issues, smaller coverage areas, and the need for inter-satellite communications. Within the scope of the TRANTOR project, we aim to investigate the complexities and peculiarities involved in utilizing LEO satellites for global communications. In this technical paper we will focus on reviewing the dynamic traffic and Quality of Service (QoS) management of NTN networks primarily being based on the 3GPP document "Technical Specification Group Radio Access Network; Solutions for NR to support non-terrestrial networks, NTN, Release 16" (3GPP TR 38.821 V16.1.0 (2021-05)).

This document explores control and monitoring mechanisms commonly employed in Ethernet-based network infrastructures, aiming to provide a comprehensive understanding of their functionality. It presents practical script examples that utilize scapy, a powerful and user-friendly Python library for sensing and manipulating network packets. The showcased scripts focus on essential functionalities such as ARP monitoring, IPv4 collision detection, and rogue DHCP server detection. By examining these examples, readers can gain a comprehensive understanding of how these mechanisms contribute to network control and maintenance. The main objective is to offer valuable insights and practical applications of these mechanisms within Ethernet-based network infrastructures.

This document provides a comprehensive analysis of the MIRAI botnet, a sophisticated malware that specifically targets vulnerable Internet of Things (IoT) devices. The analysis focuses on the bot's infection process, key features, PRNG implementation, information storage, execution flows and loader's functionalities. The MIRAI botnet demonstrates a high level of automation and adaptability, employing scanning techniques and various attack vectors to compromise IoT devices. The PRNG implementation utilizes the Xorshift128 algorithm, optimized for resource-constrained IoT devices. The storage of crucial information within the bot is examined, highlighting the use of obfuscation techniques. The execution flows involve processes for network scanning, attack coordination and attempts to gain unauthorized access using default credentials. The loader component operates with a multi-threaded architecture, efficiently managing the infection process. Additionally, the document explores the loader's features, such as selecting appropriate executables based on hardware architectures and utilizing different file upload methods. These insights shed light on the complexity and versatility of the MIRAI botnet, emphasizing the need for robust security measures. Manufacturers and users are encouraged to prioritize strong passwords, regular firmware updates and network segmentation to mitigate the risks posed by this malicious botnet.

This document presents a comprehensive solution for deploying an open-source AAA infrastructure using MariaDB, FreeRADIUS and daloRADIUS on dedicated instances of Debian 11. The architecture overview provides a clear understanding of the interactions between each component, establishing a foundation for the implementation of an AAA infrastructure. The presented infrastructure is intended to fulfill the requirements of Internet Service Providers (ISPs) globally, offering a cost-effective and highly customizable alternative to proprietary solutions. By leveraging the advantages of open-source technology in network management, the infrastructure enables ISPs to manage remote hotspots and other use cases with high customizability. Additionally, this document seeks to encourage the adoption of open-source technology solutions in the field of network management.

Il presente report mostra i risultati derivanti dall'analisi dei certificati TLS/SSL server rilasciati dal servizio di emissione certificati digitali X.509 offerto dal CNR nel corso dell'anno 2022. Il CNR, in quanto ente membro della comunità GARR, fornisce ai propri utenti il servizio di emissione gratuita di certificati digitali X.509, garantiti da Sectigo Limited, una delle principali certification authorities commerciali con riconoscimento di trusted CA. Il report fornisce informazioni dettagliate sul numero di certificati rilasciati, scaduti e revocati mensilmente, la distribuzione dei domini inclusi nei certificati e la loro suddivisione in domini CNR e non CNR. Inoltre, il report analizza la distribuzione dei domini inclusi nei certificati sulla base del domain level. Il servizio offerto dal CNR è accessibile tramite un portale online dedicato. Un'assistenza tecnica via email è disponibile per supportare gli utenti nelle richieste di emissione dei certificati e in generale nell'uso del servizio. Benché il servizio offra una vasta gamma di certificati digitali, il report si concentra esclusivamente sulla presentazione delle statistiche relative ai certificati di tipo TLS/SSL server.

The article provides technical details on a security issue discovered in daloRADIUS (https://github.com/lirantal/daloradius), along with the patch to apply for correcting the issue. In particular, all versions of daloRADIUS prior to the master branch transmit the session cookie (i.e. PHPSESSID) without setting the HttpOnly flag. The problem could cause JavaScript (e.g., using document.cookies) to access the PHPSESSID cookie value on the browser side.

The article provides technical details and describes the steps needed for exploiting a software vulnerability in daloRADIUS (https://github.com/lirantal/daloradius). In particular, an unauthenticated user can gather information on the remote system just by visiting the following endpoints: /library/exten-radius_server_info.php (which reveals pieces of information such as system uptime, CPU load, etc.) and /library/exten-server_info.php (which reveals if mysql and/or freeradius are currently running). The CVE-2022-4366 identifier has been assigned to the vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2022-4366) which has a high severity score (7.5/10, assigned by NIST).

By periodically performing network scanning activities on our organization's computer networks, it is sometimes possible to detect cybersecurity issues and contextually, to study and propose host-level countermeasures to prevent or mitigate possible cyber attacks designed to exploit the detected issues. In particular, in this document we focus on some issues, detected on a real-world running instance of WordPress (the well-known web content management system) and propose for each of them a possible host-level countermeasure. Finally, although this document refers to the issues and the related host-level countermeasures, which have been applied using the so-called sysadmin's approach and are specific to the web application we have analyzed, it should be clear that they could affect other similarly configured/managed web applications.

The activities concerning the administration of several Debian-based servers, closely related to the activities concerning the administration of networking and firewalling infrastructures of the Research Area of the CNR of Pisa, allowed us to experiment, over time, different measures to increase the security of these types of systems. In addition to the measures that can be implemented at the network level, using - also and not exclusively - border firewalling devices, there are several generic security measures that can be directly implemented on those Debian-based systems for which we want to increase the level of security. This document presents a possible subset of all measures belonging to the latter category, providing suggestions and details on potential implementation methods.

This document presents a technical-practical methodology for updating and replanning complex telematic infrastructures. In detail, the methodology covers all the aspects related to maintenance of network closets, specifying how and when to perform the preliminary operations, the operations related to the physical execution of the maintenance work and the completion operations. Finally, it describes the updating and replanning operations of an important part of the campus area network of the CNR research area of Pisa, which have been performed by applying the presented methodology in order to demonstrate its validity and effectiveness.

The network security solution in use at the Pisa Research Area since 2008, is based on two on premise Next Generation Firewalls (NGFWs) capable of protecting the network infrastructure using typical NGWF features such as application awareness, threat prevention, anti-virus, anti-spyware, URL filtering, file blocking, DDoS protection, etc. Unlike traditional packet filtering firewalls, NGFWs enforce security policies not only based on network traffic attributes (e.g. IP addresses, protocol numbers and port numbers, etc.) but also on other types of attributes, such as the username of an authenticated user, the name of the used application, the type of the transported data, etc. Furthermore, NGFWs support the concept of zone-based firewalling and allow the configuration of individual protection rules regardless of the used network layer protocol, thus implementing a dual stack (IPv4/IPv6) firewall. There are various NGFW manufacturers in the market. Therefore, a public organization in need of acquiring a NGFW-based network security solution, should compare various products in order to select the best quality-price ratio. Unfortunately, at the time of writing of this document, there are no standard methods, i.e. benchmarks, for objectively evaluating and comparing performance indicators of NGFW devices from different manufacturers. For this reason, organizations are forced to make a choice by following a logical process that takes into account a series of different evaluation criteria (technical, practical, economical, administrative, etc.). This document tries to address the various issues that an organization might face during the phases of selection and acquisition of a security solution based on NGFW technologies, mainly considering both technical and administrative aspects.

Questo technical report riporta la prima versione della Security Policy dell'Istituto di Informatica e Telematica, adottata nel rispetto della normativa vigente "Misure minime di sicurezza ICT per le pubbliche amministrazioni" previste dall'Agenzia per l'Italia Digitale. Tratta gli aspetti necessari per rilevare eventuali criticità di sicurezza informatica e stabilisce le azioni da intraprendere per accrescere il livello di sicurezza dell'intero ecosistema informatico dell'Istituto. Definisce inoltre un insieme di misure organizzative e comportamentali da adottare, da parte del personale dello IIT, per contrastare le minacce informatiche più frequenti e gestire eventuali incidenti. Un ulteriore obiettivo è la consultazione e divulgazione della policy stessa ad altri istituti del CNR, enti di ricerca e Pubblica Amministrazione, al fine di supportarli nella definizione di una politica di sicurezza per la propria organizzazione.

La presentazione descrive una vulnerabilità individuata nell'applicazione web daloRADIUS e presenta tutti i passi necessari per sfruttare tale vulnerabilità al fine di ottenere il controllo del server su cui tale software è installato.

The easiest and widely used authentication method to access Internet services is based on username and password. When users can create their own accounts on services that require online self-registration procedure, email addresses are usually used as usernames. Cybercriminals are constantly aiming to steal this type of data for various reasons, for example with the purpose of selling them in the underground market. Sometimes stolen accounts can be found on the public Internet, even without the owner being aware of it. In this report we provide a qualitative description and a quantitative analysis of Cit0Day data leak, a collection of more than 345 million hacked login credentials from 23600 online services, made available on the public Internet in October 2020. In particular, our analysis focuses on two different aspects: one related to the hacked services and the other related to the end user credentials. Finally, we have carried out a specific analysis of the data leak in order to assess the security concerns regarding our organization. Even if there were no hacked services belonging to our organization, we found out that nearly 2500 CNR related credentials were used on more than 450 hacked services.

daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and it integrates with Google Maps. It is based on a FreeRADIUS deployment with a database server, serving as the backend. It is written in PHP and JavaScript, utilizing a database abstraction layer to support many relational database management systems. The latest version of daloRADIUS (1.1-2 at the time of writing) uses an outdated version of DOMPDF (0.5.1). This document, firstly, presents how we have managed to confirm the presence of a known vulnerability (CVE-2010-4879) related to DOMPDF 0.5.1 in a running deployment of daloRADIUS 1.1-2. Secondly, a detailed attack scenario, accompanied by an exploit written in Python 3, has been presented to illustrate how an attacker can exploit the aforementioned vulnerability and obtain a reverse shell on the victim machine hosting daloRADIUS 1.1-2. Finally, a patched version of daloRADIUS, forked from the official GitHub repository and released on another Github repository under our control, has been presented.

Questa presentazione presenta dei grafici sui dati relativi ai tentativi di infezione rilevati dai nostri honeypot nel periodo Aprile-Settembre 2019 e descrive come utilizzare questi dati (in particolare gli indirizzi IP degli attaccanti) per accrescere il livello di sicurezza di un singolo host (end-point protection) mediante l'uso di un firewall locale e/o di una rete LAN mediante l'uso di un firewall di frontiera.

La presentazione mostra alcuni scenari che riguardano la connettività Wi-Fi e i relativi servizi nati grazie alla sua diffusione.