Posted on

First look at Google Chrome’s UI design refresh

Users of Google Chrome Canary, the cutting edge version of Google’s web browser, have a chance to get a sneak peek of a user interface design refresh that Google may plan to launch in all versions of Chrome eventually.

The feature is hidden behind a flag currently but that is a common practice by Google; the company uses flags to hide future features from the general population. While there is no guarantee that features will land in Chrome one day, it is often the case that Google uses experimental flags to prepare the wider release.

Chrome’s user interface has not changed all that much throughout the years. Google started a Material Design refresh of internal Chrome pages in 2015 and the process is still ongoing. The company changed the design of the Settings page in mid-2017, and the flags page in the end of 2017.

Google Chrome’s UI design refresh

chrome new ui material design

The screenshot above shows the new refreshed Material Design front user interface of Google Chrome. The very first thing you may notice is that Chrome’s tabs are slightly rounded now instead of sharp edged.

Tabs retain the rounded look even if you create a tab overload situation in Chrome when you open too many tabs so that each is displayed without any site indicator (as Chrome does not use scrolling in the tab bar).

The tabbar itself has a white background now. Inactive tabs are displayed with gray text on a gray background, the active tab with gray text on a white background.

There are other changes:

  • The design of the New Tab button changed to a plus icon.
  • The Chrome address bar has round edges, and its background is set to gray and not white anymore.
  • The profile indicator was moved from its original position near the window controls to the main Chrome toolbar.

How to enable the design refresh

chrome design refresh

You need to run Chrome Canary (version 68 or later) on Windows right now to enable the refresh. If the design refresh is not pulled again, it will become available for Mac or Linux as well in the future.

  1. Load chrome://flags/#top-chrome-md in the Chrome’s address bar. The address opens the experimental page of Chrome.
  2. The preference UI Layout for the browser’s top chrome determines the user interface design. Click on the menu next to it and select Refresh.
  3. Restart Google Chrome.

You can undo the change at any time by setting it to the default value. Other values that are supported:

  • Normal — clamshell devices.
  • Hybrid — for devices with touchscreen.
  • Touchable — new unified interface for touch and convertibles.
  • Auto — unclear.

Closing Words

The UI design refresh of Chrome is a work in progress. While it is likely that Google is going to launch a refresh of the design eventually, it is possible that it will look different from the first version that popped up in Chrome Canary in the past days.

Mozilla, maker of Firefox, moved away from rounded tabs with the release of Firefox 57.

Now You: what is your take on the new UI design?

Summary

Article Name

First look at Google Chrome’s UI design refresh

Description

Users of Google Chrome Canary, the cutting edge version of Google’s web browser, have a chance to get a sneak peek of a user interface design refresh that Google may plan to launch in all versions of Chrome eventually.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

Read the Full Article here: >Top 100 Network Security Tools

Posted on

Hackers Found Using A New Code Injection Technique to Evade Detection

While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed

Early Bird

, being used by at least three different sophisticated malware that helped attackers evade detection.

As its name suggests, Early Bird is a “simple yet powerful” technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products.

The

Early Bird

code injection technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks—which allows the malware to perform its malicious actions without being detected,” the researchers said.

The technique is similar to the

AtomBombing code injection technique

that does not rely on easy-to-detect API calls, allowing malware to inject code into processes in a manner that no anti-malware tools can detect.

How Early Bird Code Injection Works

Early Bird code injection method relies on a Windows built-in APC (Asynchronous Procedure Calls) function that allows applications to execute code asynchronously in the context of a particular thread.

Here’s a brief step-by-step explanation of how an attacker can inject malicious code into a legitimate process in a way that it gets executed earlier before an anti-malware program starts scanning.

  • Create a suspended process of a legitimate Windows process (e.g., svchost.exe)
  • Allocate memory in that process (svchost.exe) and write the malicious code into the allocated memory region,
  • Queue an asynchronous procedure call (APC) to the main thread of that process (svchost.exe),
  • Since APC can execute a process only when it is in an alertable state, call NtTestAlert function to force kernel into executing the malicious code as soon as the main thread resumes.

According to the researchers, at least three following-mentioned malware were found using Early Bird code injection in the wild.

  • “TurnedUp” backdoor, developed by an Iranian hacking group (APT33)
  • A variant of “Carberp” banking malware
  • “DorkBot” malware

Initially

discovered

by FireEye in September 2017, TurnedUp is a backdoor that is capable of exfiltrating data from the target system, creating reverse shells, taking screenshots as well as gathering system information.

Dates back to 2012,

DorBot

is botnet malware distributed via links on social media, instant messaging apps or infected removable media and is used to steal users’ credentials for online services, including banking services, participate in distributed denial-of-service (DDoS) attacks, send spam and deliver other malware to victims’ computers.

Researchers have also provided a video demonstration, which shows the new Early Bird code injection technique in action.

Read the Full Article here: >The Hacker News [ THN ]

Posted on

Hackers Found Using A New Code Injection Technique to Evade Detection

While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed

Early Bird

, being used by at least three different sophisticated malware that helped attackers evade detection.

As its name suggests, Early Bird is a “simple yet powerful” technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products.

The

Early Bird

code injection technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks—which allows the malware to perform its malicious actions without being detected,” the researchers said.

The technique is similar to the

AtomBombing code injection technique

that does not rely on easy-to-detect API calls, allowing malware to inject code into processes in a manner that no anti-malware tools can detect.

How Early Bird Code Injection Works

Early Bird code injection method relies on a Windows built-in APC (Asynchronous Procedure Calls) function that allows applications to execute code asynchronously in the context of a particular thread.

Here’s a brief step-by-step explanation of how an attacker can inject malicious code into a legitimate process in a way that it gets executed earlier before an anti-malware program starts scanning.

  • Create a suspended process of a legitimate Windows process (e.g., svchost.exe)
  • Allocate memory in that process (svchost.exe) and write the malicious code into the allocated memory region,
  • Queue an asynchronous procedure call (APC) to the main thread of that process (svchost.exe),
  • Since APC can execute a process only when it is in an alertable state, call NtTestAlert function to force kernel into executing the malicious code as soon as the main thread resumes.

According to the researchers, at least three following-mentioned malware were found using Early Bird code injection in the wild.

  • “TurnedUp” backdoor, developed by an Iranian hacking group (APT33)
  • A variant of “Carberp” banking malware
  • “DorkBot” malware

Initially

discovered

by FireEye in September 2017, TurnedUp is a backdoor that is capable of exfiltrating data from the target system, creating reverse shells, taking screenshots as well as gathering system information.

Dates back to 2012,

DorBot

is botnet malware distributed via links on social media, instant messaging apps or infected removable media and is used to steal users’ credentials for online services, including banking services, participate in distributed denial-of-service (DDoS) attacks, send spam and deliver other malware to victims’ computers.

Researchers have also provided a video demonstration, which shows the new Early Bird code injection technique in action.

Read the Full Article here: >The Hacker News [ THN ]

Posted on

Portspoof – Spoof All Ports Open & Emulate Valid Services

The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port. As a result, any attackers port scan results will become fairly meaningless and will require hours of effort to accurately identify which ports have real services on and which do not.

Portspoof - Spoof All Ports Open & Emulate Valid Services

The tool is meant to be a lightweight, fast, portable and secure addition to any firewall system or security system. The general goal of the program is to make the reconnaissance phase as slow and bothersome for your attackers as possible. This is quite a change to the standard 5s Nmap scan, that will give a full view of your systems running services.



Techniques Used by Portspoof

All configured TCP ports are always open

Instead of informing an attacker that a particular port is in a CLOSED or FILTERED state a system running Portspoof will return SYN+ACK for every connection attempt, spoof all ports open.

Result: As a result it is impractical to use stealth (SYN, ACK, etc.) port scanning against your system, since all ports are always reported as OPEN. With this approach it is really difficult to determine if a valid software is listening on a particular port.

Every open TCP port emulates a valid services

Portspoof has a huge dynamic service signature database, that will be used to generate responses to your offenders scanning software service probes.

Scanning software usually tries to determine a service that is running on an open port. This step is mandatory if one would want to identify port numbers on which you are running your services on a system behind the spoofed ports. For this reason, Portspoof will respond to every service probe with a valid service signature, that is dynamically generated based on a service signature regular expression database.

Result: As a result an attacker will not be able to determine which port numbers your system is truly using.

Portspoof Port Spoofing Tool Features

The most important features that Portspoof has:

  • Portspoof is a userland software and does not require root privilege
  • Binds to just one TCP port per a running instance
  • Easily customizable through your iptables rules
  • Marginal CPU/memory usage (multithreaded)
  • More than 9000 dynamic service signatures are supported

If you choose to, Portspoof can be used as an ‘Exploitation Framework Frontend’, that turns your system into a responsive and aggressive machine. This means exploiting your attackers’ tools and exploits in response to a port scan.

You can download Portspoof here:

portspoof-v1.3.zip

Or read more here.

Read the Full Article here: >Darknet – The Darkside

Posted on

ShiftLeft: Fully automated runtime security solution for cloud applications

When talking about data loss prevention, the first thing that comes to mind are solutions aimed at stopping users from moving sensitive documents/data out of a network.

But there is a different type of data loss that app developers should be conscious and worry about: cloud applications inadvertently sending critical data to unencrypted/public databases/services.

Fuelled by the adoption of microservices and short software development cycles, this is the fastest growing problem in application security today. Recent data leakage incidents experienced by Uber (when 57 million records were breached because developer credentials were accidentally leaked into GitHub) or Wag Labs (when the dog walking service publicly leaked customer’s addresses and lockbox key codes to their corporate website) prove this point.

So how can you prevent such an incident from happening to you?

ShiftLeft is a relatively new offering that provides fully automated secure development and runtime protection for cloud applications.

shifleft security

Main dashboard

It extracts “Security DNA” from applications, maps how sensitive data is flowing from applications to data sinks and shows you how that flow is being handled, and shows potential problems: data leaks, but also unknown vulnerabilities in the customer’s proprietary code and know (CVEs associated) vulnerabilities in open source code that the app takes advantage of.

A new approach

Traditional technologies for protecting sensitive data –  Data Loss Prevention solutions, Cloud Access Security Brokers, Web Application Firewalls – are widely used by enterprises and they are typically deployed between users and the Internet to monitor and prevent data leakage.

But they have their limitations. For example, they may not identify all sensitive data and can be defeated by encryption and obfuscation. An application can also leak sensitive data by accidentally writing secrets to an API that is not monitored by DLP. And let’s not forget that there are ways to get data outside of the organization without going through the Internet.

ShiftLeft approaches the problem from another vantage point: it starts tracking the data between an application (where the sensitive data originates and is processed) and its outputs (where it’s stored/published/delivered).

shifleft security

Data flow topology view

How ShiftLeft works

ShiftLeft uses a two-pronged approach for monitoring an application:

  • It uses semantic graphing to understand how an application works and extract its Security DNA for each of its iterations/builds, and
  • Runtime monitoring, which leverages that graph, is used to understand which parts of the application instruments in real time.

The Security DNA is used to create a custom microagent to be installed in the runtime environment. It will provide runtime protection by blocking sessions that may lead to security issues and/or by providing precise and actionable information for developers so they can quickly fix vulnerabilities and leaks.

“In addition to the runtime protection, because we have the insights from production, we help the developers prioritize which vulnerabilities to fix first with low MTTR, and even provide the exact lines of code in question. By understanding both the dev and production environments, we can definitely conclude when a vulnerability is real,” ShiftLeft CTO Chetan Conikee explained to Help Net Security.

If that in itself is not enough to make you interested, also consider this information:

ShiftLeft can quickly scan each version of the application that’s been pushed into production and automatically extract all security relevant aspects but does not impact continuous application delivery.

New issues can be detected in seconds or minutes (depending on the complexity of the application) but the app’s runtime in not heavily affected because the solution does not instrument the entire surface of the app, just the areas where data is leaking or an attacker can take control of the application.

Also, the solution provides no false positives. “Because we understand how the application works and we know which variables names are sensitive, we can track how they flow across each microservice. Hence we can map their journey and see how they are handled (i.e. encrypted vs. decrypted) and all of their entry and exit points,” Conikee told us.

shifleft security

Example of a data leakage, with the exact line of code that needs to be updated

Good to know

ShiftLeft is aimed primarily at securing cloud-based workloads (cloud applications and microservices).

“The hard limitations are more about language support,” Conikee pointed out. At the moment, ShiftLest supports Java. .Net support is coming in Q2 2018, and that for Python, Go and Javascript will follow shortly thereafter.

“We find that web applications are more likely to have fully embraced modern development practices (agile, cloud, CI/CD, microservices, etc.),” he noted.

“While these practices unlock tremendous innovation in the software development life cycle, they also make security more complex and decrease the time in which security teams have to find and fix vulnerabilities as the pace of releases increase from quarterly to monthly to weekly or even daily. While many other aspects of software development have become automated, security predominantly still relies on manual processes. Hence, it is falling further and further behind.”

DevOps or operations are usually the primary users of the solution – they are the ones who will regularly monitor the application and be on the receiving end of alerts. The developers are on the receiving end of tickets created by the former, but the task of fixing the underlying vulnerabilities in the code is made much easier because the production data weeds out the false positives and the developer knows exactly which line of code needs to be updated.

The security team is involved in the process inasmuch as they are involved in setting the policy that determines the thresholds they are confortable with for various security problems.

Conclusion

Increasingly shorter software development cycles often mean less time to spot and fix potentially dangerous changes that are introduced in the code. Automated discovery is, therefore, a must and each new build has to be subjected to it.

The process has to be quick and the results have to be granular, to allow for helpful insights and speedy remediation. ShiftLeft can provide all of that.

Read the Full Article here: >Help Net Security – News

Posted on

Use SetupDiag to diagnose Windows 10 upgrade issues

SetupDiag is a free diagnostic tool by Microsoft that is designed to find and parse Windows 10 setup log files to determine why an upgrade or update failed to install on a computer system.

The program can be run on the computer that failed to upgrade or on another computer if relevant log files are available (for example, by copying them to the PC).

SetupDiag works only on devices running Windows 10. The second requirement is that it depends on the Microsoft .NET Framework 4.6 which needs to be installed on the device it is run on.

With the upcoming Windows 10 version 1803 just around the corner, it may be the right tool to have in your arsenal if you run into upgrading issues.

Using SetupDiag

setupdiag

You can run SetupDiag directly after download. If you run it without parameters, it attempts to locate log files that Windows 10 creates during the upgrade process in the default folders on the device.

The program creates a results.log file in its directory when it completes the scan which includes upgrade issues that it detected in the log files during parsing.

SetupDiag creates a zip archive of all log files that it processed on top of that which it saves as Logs.zip in the same directory as well.

The command line window lists those as well, but the window is closed automatically when the program finishes the scan.

Check out our list of Windows 10 upgrade log files to find out more about those. Basically, what SetupDiag does is parse the following directories for log files:

  • \$Windows.~bt\sources\panther
  • \$Windows.~bt\Sources\Rollback
  • \Windows\Panther
  • \Windows\Panther\NewOS

You may run the application in offline mode to parse folders copied from another device. The tool parses one folder only if you copy individual folders, but if you copy the parent folder, it will include all logs found in all directories of the directory structure.

SetupDiag can also be used to debug minidump files that Windows 10 may create during the upgrade process. Windows 10 creates the file setupmem.dmp either in %SystemDrive%$Windows.~bt\Sources\Rollback or in %WinDir%\Panther\NewOS\Rollback depending on when the upgrade process is stopped.

Here are some examples:

  • SetupDiag.exe — the core command. It will run in online mode which means that it tries to find upgrade logs on the target machine in the directories mentioned above.
  • SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:D:\Temp\Logs\LogSet1 – the command runs SetupDiag in offline mode. It will scan the directory LogSet1 for matching log files and issues.
  • SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump — the command analyzes the setupmem.dmp file found in d:\dump.

How it works

SetupDiag uses a set of rules files to find matches in upgrade logs. Rules have a name and associated unique identifier.

The reliance on rules means that SetupDiag can only identify issues that are defined in its set of rules. Microsoft lists a total of 26 unique identifiers on the Microsoft Docs website which SetupDiag identifies in its current version.

If the program fails to find the root cause for the upgrade issue, check out our how to analyze Windows 10 upgrade errors guide which offers information on diagnosing issues manually.

Closing Words

SetupDiag may speed up the diagnosing of upgrade related issues on Windows 10 machines significantly. It reduces the time it takes to parse the log files but may still require additional research to repair the detected issue.

Some issues, like not enough disk space, are easy enough to fix but others may require extensive research and repair operations.

Now You: Did you run into Windows 10 upgrade errors in the past?

Summary

Article Name

Use SetupDiag to diagnose Windows 10 upgrade issues

Description

SetupDiag is a free diagnostic tool by Microsoft that is designed to find and parse Windows 10 setup log files to determine why an upgrade or update failed to install on a computer system.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

Read the Full Article here: >Top 100 Network Security Tools

Posted on

Facebook admits public data of its 2.2 billion users has been compromised

Facebook dropped another bombshell on its users by admitting that all of its 2.2 billion users should assume malicious third-party scrapers have compromised their public profile information.

On Wednesday, Facebook CEO Mark Zuckerberg revealed that "malicious actors" took advantage of "Search" tools on its platform to discover the identities and collect information on most of its 2 billion users worldwide.

The revelation once again underlines the

failure of the social-media

giant to protect users’ privacy while generating billions of dollars in revenue from the same information.

The revelation came weeks after the disclosure of the

Cambridge Analytica scandal

, wherein personal data of 77 million users was improperly gathered and misused by the political consultancy firm, who reportedly also helped Donald Trump win the US presidency in 2016.

However, the latest scam revealed by the social media giant about the abuse of Facebook’s search tools over the course of several years impacts almost all of its 2.2 billion users, making it the worst year for the world’s largest social network.

"It is clear now that we didn’t do enough, we didn’t focus enough on preventing abuse," Zuckerberg told press reporters. "We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake."

The company said it had disabled the feature—which allows anyone to look up users by entering phone numbers or email addresses into Facebook’s search tool—in its site’s search function that enabled malicious actors to scrape public profile information.

Here’s How Scrapped Data Could Have Helped Cybercriminals

As mentioned above, the source of this scam was Facebook’s search function, which was turned on by default. Hackers took help of "Dark Web," where criminals post personal information of users stolen from data breaches over the years, to collect.

Once they had their hands on email addresses and phone numbers, the hackers then used automated computer programs to feed the email addresses and phone numbers into Facebook’s "search" box.

This scan allowed them to find out the full names of people associated with the email addresses or phone numbers, along with the Facebook profile information they chose to make public, which often includes names, profile photos, and hometown.

This collected information was then more likely to be used by cybercriminals to target particular individual using social engineering or other cyber attacks.

"Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name," Facebook Chief Technology Officer Mike Schroepfer said in a blog post describing changes the company has made to its service to protect its users’ data better.

"However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way."

While apologizing "second time" to its users, Zuckerberg said this feature has immediately been turned off, noting that the scraped profile information was only limited to what was publically viewable.

However, Zuckerberg defended gathering users’ data for a business model, arguing "People tell us that if they’re going to see ads, they want the ads to be good."

"On the one hand, people want relevant experiences, and on the other hand there is some discomfort about how data is used," Zuck added. "I think the overwhelming feedback is for wanting a good experience."

Also, it was initially reported that Cambridge Analytica quiz app gathered data on some 50 million Facebook users, but Facebook revised that number upward by 74 percent, i.e., over 77 million.

In an effort to protect its users private data, Facebook is now restricting third-party apps from accessing users’ information about their relationship status, religious or political views, work history, education, habits, interest, video watching, and games—basically almost every information data brokers and businesses collect to build profiles of their customers’ tastes.

The company is all set to roll out a new feature on Monday that will inform users who were affected by the Cambridge Analytica data leak.

Read the Full Article here: >The Hacker News [ THN ]

Posted on

Facebook admits public data of its 2.2 billion users has been compromised

Facebook dropped another bombshell on its users by admitting that all of its 2.2 billion users should assume malicious third-party scrapers have compromised their public profile information.

On Wednesday, Facebook CEO Mark Zuckerberg revealed that "malicious actors" took advantage of "Search" tools on its platform to discover the identities and collect information on most of its 2 billion users worldwide.

The revelation once again underlines the

failure of the social-media

giant to protect users’ privacy while generating billions of dollars in revenue from the same information.

The revelation came weeks after the disclosure of the

Cambridge Analytica scandal

, wherein personal data of 77 million users was improperly gathered and misused by the political consultancy firm, who reportedly also helped Donald Trump win the US presidency in 2016.

However, the latest scam revealed by the social media giant about the abuse of Facebook’s search tools over the course of several years impacts almost all of its 2.2 billion users, making it the worst year for the world’s largest social network.

"It is clear now that we didn’t do enough, we didn’t focus enough on preventing abuse," Zuckerberg told press reporters. "We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake."

The company said it had disabled the feature—which allows anyone to look up users by entering phone numbers or email addresses into Facebook’s search tool—in its site’s search function that enabled malicious actors to scrape public profile information.

Here’s How Scrapped Data Could Have Helped Cybercriminals

As mentioned above, the source of this scam was Facebook’s search function, which was turned on by default. Hackers took help of "Dark Web," where criminals post personal information of users stolen from data breaches over the years, to collect.

Once they had their hands on email addresses and phone numbers, the hackers then used automated computer programs to feed the email addresses and phone numbers into Facebook’s "search" box.

This scan allowed them to find out the full names of people associated with the email addresses or phone numbers, along with the Facebook profile information they chose to make public, which often includes names, profile photos, and hometown.

This collected information was then more likely to be used by cybercriminals to target particular individual using social engineering or other cyber attacks.

"Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name," Facebook Chief Technology Officer Mike Schroepfer said in a blog post describing changes the company has made to its service to protect its users’ data better.

"However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way."

While apologizing "second time" to its users, Zuckerberg said this feature has immediately been turned off, noting that the scraped profile information was only limited to what was publically viewable.

However, Zuckerberg defended gathering users’ data for a business model, arguing "People tell us that if they’re going to see ads, they want the ads to be good."

"On the one hand, people want relevant experiences, and on the other hand there is some discomfort about how data is used," Zuck added. "I think the overwhelming feedback is for wanting a good experience."

Also, it was initially reported that Cambridge Analytica quiz app gathered data on some 50 million Facebook users, but Facebook revised that number upward by 74 percent, i.e., over 77 million.

In an effort to protect its users private data, Facebook is now restricting third-party apps from accessing users’ information about their relationship status, religious or political views, work history, education, habits, interest, video watching, and games—basically almost every information data brokers and businesses collect to build profiles of their customers’ tastes.

The company is all set to roll out a new feature on Monday that will inform users who were affected by the Cambridge Analytica data leak.

Read the Full Article here: >The Hacker News [ THN ]