Industry News

Coinbase was attacked using Firefox 0-days (previously unknown security flaws in Firefox) to steal browser session tokens, which are credentials stored in browser data files that let attackers access cloud services like Gmail without needing passwords. The attackers specifically targeted these token files through direct access to browser datastores (the storage locations where browsers save data), which is unusual behavior that could be detected by monitoring which processes access these files.

This article discusses 'Homefield Advantage' as a security concept, meaning that a mature security team should have natural advantages when defending their own systems, similar to how sports teams perform better at home. The author argues that security programs should recognize and leverage these inherent benefits, such as familiarity with their own environment and systems.

This is a disclaimer notice from a blog called WUNDERWUZZI stating that penetration testing (authorized attempts to find security weaknesses in systems) must have proper permission, and that the blog's content is for educational purposes to help people understand security attacks and defenses.

BashSpray is a password spray tool (a script that tests many accounts with common weak passwords to find security gaps) that red teams (security professionals hired to test defenses) can use to identify weak passwords in their organization. The tool works on both Mac and Windows systems, and ideally should be integrated into security response workflows so that affected users and security teams are notified to change passwords and investigate if needed.

This article discusses how to interact with Active Directory (a system that manages users and computers on networks) on macOS computers. It describes three approaches: using macOS's built-in Directory Utility, using Apache Directory Studio (a third-party tool), or writing custom scripts with LDAP (lightweight directory access protocol, the standard way to query directory systems) commands.

Google's login system leaks alternate email addresses to anyone who calls an unauthenticated endpoint (a service that doesn't require you to prove who you are) with just an email address. An attacker could use this to find backup accounts linked to a target email, then use those accounts for phishing (tricking people into giving up passwords) or to take over the main account if the alternate email is set up for password recovery.

Lyrebird is a security tool that takes a screenshot of your desktop and then monitors your computer by using the webcam to photograph anyone who tries to use it while you're away. The tool is designed to catch people who access an unattended workstation, helping you identify if someone has tampered with your computer.

KoiPhish is a relay proxy (a tool that intercepts and forwards network traffic between a user and a target server) designed for phishing attacks. It forwards requests from victims to a real website while modifying links in responses to keep users engaged with the fake site instead of noticing they've been redirected.

This post describes techniques for accessing user accounts and data on macOS systems after gaining root access, including methods to bypass keychain (macOS's password storage system) protections through process injection and debugger attachment. The author notes that macOS has security features like SIP (System Integrity Protection, which prevents debugging of protected system processes) and keychain encryption that make direct access difficult, requiring either the target user's password or creative workarounds like injecting code into running processes.

Attackers can steal authentication cookies (small files that prove you're logged in) from a compromised computer to break into web applications and cloud services, even bypassing multi-factor authentication (extra security checks beyond passwords). This works because cookies remain valid long after authentication is complete and are stored where attackers can find them, either on disk or in the computer's active memory. This technique, called "pass the cookie," is a post-exploitation method (a way attackers move through a system after gaining initial access) that also works with similar tokens like JWTs (JSON web tokens, another way to prove identity).