New tools, products, platforms, funding rounds, and company developments in AI security.
This post describes how the author built Husky AI, a machine learning system that classifies images as huskies or non-huskies, using a convolutional neural network (CNN, a type of AI model designed to process images). The author gathered about 1,300 husky images and 3,000 other images using Bing Image Search, then organized them into separate training and validation folders to build and test the model. The post notes a potential security risk: attackers could poison either the training or validation image sets to cause the model to perform poorly.
A security researcher will present on Shadowbunny, a technique that misuses virtual machines (software that simulates a computer) during lateral movement (when an attacker spreads from one compromised system to another). The presentation will also discuss threat hunting (searching for signs of attacks) and detection methods to identify this technique.
Race conditions in ACL (access control list, the rules that determine who can access files) application occur when a system creates a sensitive file but there is a time gap before permissions are applied to protect it, potentially allowing attackers to access the file during that window. This type of vulnerability exploits the timing between file creation and permission lockdown to expose sensitive information.
This article discusses how to measure the maturity and effectiveness of security testing programs, particularly red teaming (simulated attacks to find vulnerabilities). The author suggests using existing frameworks like CMMI (Capability Maturity Model Integration, a system developed by Carnegie Mellon University that rates how well-organized software processes are on a scale of one to five) that can be adapted to evaluate offensive security programs.
A researcher created a tool that uses Firefox's debugging API (a set of commands for controlling Firefox remotely) to extract cookies (small files that store login information and preferences) from the browser, which is useful when an attacker doesn't have administrator access or user credentials. The tool works by connecting to Firefox's debug server, sending JavaScript commands to access the Services.cookies.cookies array, and retrieving the results, though it requires the debugging feature to be manually enabled first.
Firefox includes a built-in remote debugging feature that allows attackers to access authentication tokens and cookies from a compromised system. By default, Firefox disables this feature, but malware can enable it by modifying configuration files (user.js or prefs.js) to set specific debugging preferences and remove security prompts that would alert the user.
Port-proxying is a Windows technique that allows a process listening on one network interface (such as localhost, which is only accessible locally) to be exposed on a different network interface. This is useful for scenarios like making a local-only service accessible remotely, forwarding traffic between two network interfaces, or pivoting (moving through a network to access other systems).
A researcher discovered a persistent XSS (cross-site scripting, where an attacker injects malicious code into a web page that runs in other users' browsers) vulnerability in the AWS Console several years ago. The post documents how they found the bug, the techniques they used, and Amazon's response to the discovery.
This is a brief announcement that a security blog called 'Embrace the Red' was ranked as the 10th top penetration testing blog by Feedspot (a blog aggregation service). The blog focuses on offensive security engineering, penetration testing (simulating attacks to find vulnerabilities), and red teaming (groups that act as mock attackers to test defenses).
This article explains how to use built-in OS search features (Windows Search indexing and macOS Spotlight) to quickly hunt for credentials that may be stored in plain text on machines. Rather than manually searching through files, administrators and security teams can query the OS index via command line using PowerShell scripts on Windows or the mdfind command on macOS, which is much faster and can also search binary files.
The Shadowbunny technique uses virtual machines (VMs, software that emulates a complete computer within another computer) during lateral movement (spreading from one compromised system to others) to hide attackers' presence and avoid security detection tools. Real-world attackers, including those behind Ragnar Locker Ransomware (malicious software that encrypts files for extortion), have already employed this method, making it important for security professionals to understand how to detect it.
A security bug jail is a development practice where system owners cannot work on new features if their system has more than a set number of active security vulnerabilities (for example, a limit of 3). This approach prevents security debt (accumulated unfixed flaws) from growing uncontrollably over time by forcing teams to prioritize fixing existing security issues before adding new functionality.
Monte Carlo simulations (statistical methods that use repeated random sampling to model outcomes) can improve red teaming skills by offering fresh perspectives for presenting security findings. Red teaming involves challenging an organization by analyzing its business processes and methodologies, and Monte Carlo simulations have been applied to security programs, threat modeling (the process of identifying potential attacks on a system), and measuring cybersecurity risk.
Phishing campaigns (fake emails designed to trick people into revealing information) produce results that are hard to compare over time because different security teams use different tools and methods. The author recommends tracking a standard set of metrics to make these comparisons meaningful.
A security researcher discovered a vulnerability in Mozilla's infrastructure by researching Firefox's remote debugging features and found that Mozilla uses Phabricator (a web-based platform for code reviews, bug tracking, and storing credentials). The researcher was awarded a $3000 bug bounty for successfully locating exposed credentials through this system.
Cookie Crimes is a known attack technique that exploits Chrome's remote debugging feature (a tool that lets developers control browsers from a distance) to steal cookies (small files that store login information and user data). Because Microsoft's new Edge browser is based on Chromium (the open-source code that powers Chrome), the same Cookie Crimes attack works on Edge with only minor changes, like replacing "chrome.exe" with "msedge.exe".
This post introduces the machine learning pipeline, which consists of sequential steps from collecting training images, pre-processing data, defining and training a model, evaluating performance, and finally deploying it to production as an API (application programming interface, a way for software to communicate). The author uses a "Husky AI" example application that identifies whether uploaded images contain huskies, and explains that understanding this pipeline's components is important for identifying potential security attacks on machine learning systems.
A security researcher describes their year-long study of machine learning and AI fundamentals, with the goal of understanding how to build and then attack ML systems. The post outlines their learning approach, courses, and materials for others interested in starting adversarial machine learning (attacking ML systems).
Telemetry (data collected about how users interact with software) is often used by companies to make business decisions, but telemetry pipelines (the systems that collect and process this data) can be vulnerable to attacks. A red team security test demonstrated this by spoofing telemetry requests to falsely show a Commodore 64 as the most popular operating system, which could mislead companies into making poor decisions based on fake usage data.
Fix: The source mentions that internal red teams should run security assessments of telemetry pipelines. According to the text, this ensures that 'pipelines are assessed and proper sanitization, sanity checks, input validation for telemetry data is in place.' However, no specific technical fix, patch version, or concrete implementation details are provided.
Embrace The RedThis article discusses red teaming techniques (testing methods where security professionals act as attackers to find weaknesses) that organizations can use to identify privacy issues in their systems and infrastructure. The author emphasizes that privacy violations often come from insider threats (employees or contractors with authorized access to sensitive data), and highlights the importance of regular privacy testing as required by regulations like GDPR (General Data Protection Regulation, which sets rules for protecting personal data in Europe). The article mentions the "Motivated Intruder" threat model, where an insider with access to anonymized datasets (data with identifying information supposedly removed) uses data science techniques to reidentify people and expose their identities.
Fix: Blue teams should monitor and add detection alerts for modifications to Firefox configuration files, specifically changes to the settings: devtools.chrome.enabled, devtools.debugger.remote-enabled, and devtools.debugger.prompt-connection. The source also recommends using SSH port forwarding to encrypt debugging traffic if remote access is needed, since the debugging protocol sends data in clear text.
Embrace The RedFix: Blue teams should look for command line arguments like --remote-debugging-port and custom --user-data-dir to detect potential misuse of this feature in both Chrome and Edge. The author also suggested adding detections for this attack technique to Windows Defender, and notes that "there are more mitigation ideas in the previous blog post about Chrome" which readers should reference.
Embrace The Red