This is the first in the series of hacking Amazon’s eero 6 (3rd generation) Wi-Fi device. In this post I will be focusing on device disassembly, identifying pins, brute forcing JTAG, and reading serial output. About Eero is a San Francisco-based wireless Internet company founded in 2015. It is known for making household consumer Wi-Fi products. The company was acquired by Amazon in 2019 for $97 million. Device Specification eero 6 (3rd gen 2020) device specification....
A short guide on how to block the entire .zip TLD using pfSense. In particular using a package called pfBlocker-NG, which can be thought of as a “PiHole” alternative. pfBlocker-NG is capable of much much more but won’t be covered in this blog. Why is .zip TLD a problem? It’s simple really, Phishing. Whether it’s abusing a HTTP URI scheme or using special unicode characters, having a .zip TLD which has always been attributed to the compression file extension is just a bad idea....
PayPal’s Help Center - Technical Support post shows how Passkeys work on its platform and how users can add new security devices, this covers both iOS and Android but also desktop systems too. It also goes into more detail on what to do when you’ve lost your device, and much more. TL;DR: As of 26th May 2023, PayPal only supports external security “Passkeys” keys (such as Yubikeys) for two-factor authentication. Passkeys on mobile devices like iOS or Android still do NOT work, even though you can register one....
This is a short blog post on how you can get root access on a Android 12 emulated device with Google services, using a tool (script) called rootAVD by newbit1. I also share a few recommendations which are helpful during mobile analysis. Android Studio For mobile analysis I generally use my Google Pixel 3a device. However, sometimes I will try to avoid it if I can, especially when I’m only curious about an app’s network traffic or API endpoints....
In this post I will go into technical details on what attackers could do with the stolen encrypted vaults, specifically how they could use tools like Hashcat to crack vault passwords and get access to sensitive log-in credentials. To simulate the stolen data, I will use my test Lastpass account to extract an encrypted vault from the Chrome Browser extension on macOS. Following this, I will use a wordlist attack to bruteforce the vault which has a weak and guessiable password....