source: securityweek.com

Stealthy command and control methods allowed a newly discovered malware family to fly under the radar for more than three years, Palo Alto Networks security researchers reveal.

Dubbed Dimnie, the threat was discovered in mid-January 2017, when it was targeting open-source developers via phishing emails. An attached malicious .doc file contained embedded macro code that executed a PowerShell command to download and execute a file.

The first samples pertaining to this malware family dated back to early 2014, but the use of stealthy command and control (C&C) methods, combined with a Russian-focused target base helped the threat remain unnoticed until this year. Dimnie, which attempted a global reach with its January 2017 campaign, is capable of downloading additional malware and stealing information from compromised systems.

The malware has a modular design and can hinder analysis by injecting each of its modules into the memory of core Windows processes. What’s more, the malware appears to have undergone a series of changes over time, Palo Alto Networks reveals.

Looking at the threat’s communication with the C&C infrastructure, the security researchers discovered that it uses HTTP Proxy requests to the Google PageRank service, which hasn’t been available to the public since last year. Because the absolute URI in the HTTP request is for a non-existent service, the server isn’t acting as a proxy, and the seemingly RFC compliant request is merely camouflage.

The HTTP traffic also reveals that the malware uses an AES key to decrypt payloads (which have been previously encrypted using AES 256 in ECB mode). The server’s reply also contains a Cookie value, which is a 48 byte, base64 encoded, AES 256 ECB encrypted series of UINT32 values pertaining to the payload. The malware uses the Cookie parameter to verify the payload’s integrity.

 

source: wired.com

AS SOCIAL NETWORKS continue to mature, they increasingly take on roles they may not have anticipated. Moderating graphic imagery and hate speech, working to address trolling and harassment, and dealing with dissemination of fake news puts companies like Facebook and Twitter in powerful societal positions. Now, Facebook has acknowledged yet another challenge: Keeping your data safe from surveillance.

That’s harder than it may sound. When you post something publicly on a social network, anyone can view it—including law enforcement or federal agencies. Those types of groups, particularly local police, have increasingly capitalized on social media as an investigatory resource. And those one-off cases hardly register compared to the mass surveillance tools that software companies can create by using a social network’s API—the set of tools that allow outside parties to develop interoperable software for a company’s product. In the case of a company like Facebook, those tools can surveil and collect data about millions of people. These products are then sold to police, advertisers, or anyone else willing to pay. Or at least, they could until this week.

“We are adding language to our Facebook and Instagram platform policies to more clearly explain that developers cannot ‘use data obtained from us to provide tools that are used for surveillance,'” Facebook said in a statement. “Over the past several months we have taken enforcement action against developers who created and marketed tools meant for surveillance, in violation of our existing policies.”

Private Lives

Facebook worked with the American Civil Liberties Union of California, Center for Media Justice, and Color of Change to implement the policy, prompted in part by ACLU research from September that demonstrated how law enforcement used third-party tools to track activists, particularly those from the Black Lives Matter movement.

“The clear public policy is important because it sends a very clear message to developers and to businesses about what is not allowed on Facebook,” says Nicole Ozer, the Technology and Civil Liberties Policy Director at the ACLU of California. “And if their business model is based on building tools for surveillance they need to get a new business model.”

 

 

source: darkreading.com

If your company doesn't have an ethical hacker on the security team, it's playing a one-sided game of defense against attackers.

Great power comes with great responsibility, and all heroes face the decision of using their powers for good or evil. These heroes I speak of are called white hat hackers, legal hackers, or, most commonly, ethical hackers. All these labels mean the same thing: A hacker who helps organizations uncover security issues with the goal of preventing those security flaws from being exploited. If companies don't have an ethical hacker working for them, they're in a one-sided game, only playing defense against attackers.

Meet the Hackers
Companies house both developer and security teams to build out codes, but unfortunately, there often is little communication between the two teams until code is in its final stages. DevSecOps — developer and security teams — incorporates both sides throughout all of the coding process to catch vulnerabilities early on, as opposed to at the end, when making updates becomes harder for developers.

 

Although secure coding practices and code analysis should be automated-  and a standard step in the development process - hackers will always try to leverage other techniques if they can't find code vulnerabilities. Ethical hackers, as part of the DevSecOps team, enhance the secure coding practices of the developers because of the knowledge sharing and testing for vulnerabilities that can be easily taken advantage of by someone outside the company.

Take, for example, Jared Demott. Microsoft hosts the BlueHat competition for ethical hackers to find bugs in its coding, and Demott found a way to bypass all of the company's security measures. Let that sink in for a moment — he found a way to bypass all of Microsoft's security measures. Can you imagine the repercussions if that flaw had been discovered by a malicious hacker?

Let the Hackers Hack
Security solutions (such as application security testing and intrusion detection and prevention systems) are a company's first line of defense because they're important for automatically cleaning out most risks, leaving the more unique attack techniques for the ethical hackers to expose. These could include things such as social engineering or logical flaws that expose a risk. Mature application security programs will use ethical hackers to ensure continuous security throughout the organization and its applications. Many organizations also use them to ensure compliance with regulatory standards such as PCI-DSS and HIPAA, alongside defensive techniques, including static application security testing.

You may be thinking, "What about security audits? Wouldn't they do the trick?" No, not fully. Ethical hacking is used to build real-world potential attacks on an application or the organization as a whole, as opposed to the more analytical and risk-based analysis achieved through security audits. As an ethical hacker, the goal is to find as many vulnerabilities as possible, no matter the risk level, and report them back to the organization.

Another advantage is that once hackers detect a risk, vendors can add the detection capability to their products, thus enhancing detection quality in the long run. For example, David Sopas, security research team leader for Checkmarx, discovered a potentially malicious hack within a LinkedIn reflected filename download. This hack could have had a number of potential outcomes, including a full-blown hijacking of a victims' computers if they had run the file. It's probably safe to say that just the audit wouldn't have identified this hidden flaw.

 

source: technewsworld.com

Gmail users in recent months have been targeted by a sophisticated series of phishing attacks that use emails from a known contact whose account has been compromised. The emails contain an image of an attachment that appears to be legitimate, according to Wordfence.

The sophisticated attack displays "accounts.gmail.com" in the browser's location bar and leads users to what appears to be a legitimate Google sign-in page where they are prompted to supply their credentials, which then become compromised.

The technique works so well that many experienced technical users have fallen prey to the scam, noted Mark Maunder, CEO of Wordfence. Many have shared warnings on Facebook to alert family and friends, given that the technique has exploited otherwise trusted contacts so successfully.

Google's Reply

Google has been aware of the issue at least since mid-January, based on comments from Google Communications' Aaron Stein, which WordPress characterized as an "official statement" from the company.

Google was continuing to strengthen its defenses, Stein said, adding that it was using machine learning-based detection of phishing messages, safe browsing warnings of dangerous links in emails, and taking steps to prevent suspicious sign-ins.

Users could take advantage of two-factor authentication to further protect their accounts, he suggested.

Wordfence last month noted that Google Chrome released 56.0.2924, which changes the behavior of the browser's location bar. The change results in the display of not secure messages when users see a data URL.

Google last month announced additional steps to protect G Suite customers against phishing, using Security Key enforcement. The technique helps administrators protect their employees using only security keys as the second factor.

Bluetooth low energy Security Key support, which works on Android and iOS mobile devices, is another user option.

Realistic View

Recent changes in Chrome and Firefox browsers have mitigated some of these types of attacks, observed Patrick Wheeler, director of threat intelligence at Proofpoint.

However, a variety of techniques are used to target users, he pointed out.