Industry News

This is a video resource about how security breaches happen, covering the step-by-step process attackers use to compromise systems. The content is from WUNDERWUZZI and is intended for educational purposes to help people understand attack methods and how to defend against them.

This post explores how BPF (Berkeley Packet Filter, a technology that allows running custom programs inside the Linux kernel) can be used offensively, specifically focusing on the bpf_probe_write_user function (a helper that lets BPF programs modify user-space data during execution). The author documents their process of learning to write advanced BPF programs in C using libbpf to manipulate filenames, hide directories, and simulate ransomware attacks while also considering detection methods.

This post describes how to use bpftrace (a tool for tracing system behavior) with uprobes (hooks into user-space functions) to intercept and read Firefox's encrypted traffic by hooking into the NSS library (Mozilla's Network Security Services, which Firefox uses for encryption). The author discovered that Firefox uses local NSS libraries rather than system-wide encryption libraries, and created a bpftrace script that hooks the PR_Write function to capture and display the data Firefox sends.

Tabnabbing is a web application security vulnerability that attackers can use to perform phishing attacks (tricking users into giving up sensitive information by impersonating legitimate websites). The video explains how tabnabbing works and how to defend against it, and notes that the vulnerability is relatively straightforward to prevent.

This post explores bpfcc-tools, a collection of existing BPF (Berkeley Packet Filter, a technology that runs custom programs inside the Linux kernel) programs used for system performance monitoring and observability. The author explains that BPF tools are becoming increasingly common in production environments because they're useful for analyzing system behavior without requiring custom code.

This post discusses detection strategies for identifying malicious use of BPF (Berkeley Packet Filter, a technology that allows programs to run safely inside the Linux kernel), specifically focusing on bpftrace (a tool for tracing system events using BPF). The author is exploring how attackers might misuse BPF and what defensive approaches Blue Teams (security defenders) could use to catch such misuse.

This post describes how to use bpftrace (a tool for tracing Linux kernel events) to create a backdoor that executes commands when it receives a specific secret message on any port. The author explains how to use enter and exit trace points (hooks into when functions start and finish) to capture data from network reads, then compare that data against a trigger message to run malicious commands.

This post explores how bpftrace, a tool for running BPF programs (eBPF, extended Berkeley Packet Filter, which lets programs monitor and modify system behavior at a low kernel level), could potentially be misused to create backdoors by observing network traffic and triggering malicious actions. The author is studying this offensive technique to better understand security threats and help defenders recognize such attacks.

eBPF (extended Berkeley Packet Filtering, a technology that lets users run small programs inside the Linux kernel without modifying kernel source code) is gaining attention for offensive security uses because it can hook into system calls, manipulate data, and even run on network hardware. The article introduces eBPF's structure (programs, maps, and events) and explains how attackers could potentially exploit its flexibility and power to hook into system functions, modify data, and spawn processes.

This is a 25-minute educational video covering the foundational concepts needed to understand web application security. It explains the basic building blocks of web applications, such as HTML, HTTP, JavaScript, and cookies, as well as core security concepts like the Same-Origin Policy (a rule that prevents websites from accessing each other's data without permission). The video prepares viewers to understand common security vulnerabilities like XSS (cross-site scripting, where attackers inject malicious code into web pages), CSRF (cross-site request forgery, where attackers trick users into performing unwanted actions), and SQLi (SQL injection, where attackers insert malicious database commands into input fields).

On Linux systems, users with uid=0 (user identifier zero) have root privileges, which bypass all security checks. An attacker can create a new account or modify an existing one to have uid=0 by editing the /etc/passwd file or using commands like 'usermod -u 0', giving them complete system control.

Procdump is a tool that creates core dumps (snapshots of a program's memory) and can be installed on Linux systems, though it receives less attention from security professionals there than on Windows. An attacker with access to a Linux system can use procdump to dump the memory of running processes and search through them for sensitive information like passwords and credentials, as demonstrated in a scenario where an attacker extracts a password from a user's text editor process.

The Silver Searcher is a fast search tool designed for finding code and files quickly, with a focus on searching through source code. It offers built-in features that make it faster and more convenient than traditional tools like grep (a command-line search utility) and findstr.

Attackers can abuse Component Object Model (COM, a Windows system that lets programs automate each other) to weaponize Microsoft Office applications like Excel and Outlook for malicious purposes, such as creating documents, stealing data, and establishing command-and-control channels. Since COM automation uses legitimate, pre-installed applications, these attacks can be hard to detect. The article highlights that monitoring for unusual COM usage patterns is important for defensive teams to catch this type of threat.

A researcher explored three security and privacy aspects of Apple's Airtag tracking devices: physically removing the speaker component, using browser APIs (code that web browsers provide to interact with hardware) to detect nearby Airtags without an iPhone, and investigating how data might be extracted through Airtags and Apple's Find My network. The post documents these findings as exploratory research into the Airtag ecosystem.

Security breaches happen regularly to organizations, and companies often don't discover them for days, months, or even years after they occur. The post argues that organizations should adopt red team exercises (simulated attacks by internal security experts to test defenses) to strengthen their security, since breaches cannot be completely prevented and automated malware can strike at any time.

Google's FLoC (federated learning of cohorts) is a proposed alternative to cookie-based user tracking in Chrome that assigns users to interest groups based on their browsing history. The system makes user fingerprinting (identifying individuals by combining their FLoC ID with their IP address) easier and more accurate, potentially compromising privacy even though FLoC IDs are recalculated regularly and Google has disabled it in the European Union due to privacy concerns.

Attackers can trick users into entering passwords by spoofing credential dialogs (fake password prompts that look legitimate) on macOS, Linux, and Windows after gaining initial access to a computer. On macOS, the osascript command can create fake password prompts; on Linux, zenity with the --password option works similarly; and on Windows, PowerShell's Get-Credential command can be misused. The source emphasizes that detection teams should watch for these suspicious commands in logs and look for specific command-line arguments like --password and 'with hidden answer' to identify attacks.