Information Security News
Basecamp, maker of the popular project-management app by the same name, was back online Monday afternoon after sustaining a crippling denial-of-service attack earlier in the day that rendered its services unavailable to virtually all users.
In a blog post published Monday, Basecamp officials said the attack began after they spurned a demand to pay an unspecified ransom to avoid a threatened assault on their site. The flood of data that came after the demand was rebuffed peaked at about 20 gigabits per second, preventing legitimate traffic from passing through the site's overwhelmed data connections.
"We've learned that the very same criminals currently attacking and trying to extort us hit others just last week," the Basecamp blog post stated. "We're comparing notes with everyone affected who have been in touch. The blackmail came from an address matching this pattern: email@example.com. If you have been extorted by this person, please get in contact so we can compare notes on both technical defenses and the law enforcement effort to hunt them down."
Attackers are exploiting a newly discovered vulnerability in Microsoft Word that makes it possible to remotely seize control of computers, the company warned.
The in-the-wild attacks work by creating booby-trapped documents in the Rich Text Format (RTF) that exploit a vulnerability in the 2010 version of Microsoft Word, Microsoft warned in an advisory published Monday. Similar attacks work against other versions of Word, including 2003, 2007, and 2013 for Windows, Microsoft Office for Mac 2011, and multiple versions of Microsoft SharePoint Server. E-mails that are viewed or previewed using a default setting in Outlook allow the attacker to gain the same system privileges as the user who is currently logged in.
"Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word," Monday's advisory stated. "At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word or previews or opens a specially crafted RTF e-mail message in Microsoft Outlook while using Microsoft Word as the e-mail viewer."
Microsoft today published a new security bulletin, announcing that it has seen a new Word 2010 exploit used in recent targeted attacks. The exploit uses a so far unpatched vulnerability in Word that is triggered by opening a crafted RTF document.
To prevent exploitation of the vulnerability, Microsoft released a "Fix It" that will prevent Word from opening RTF documents. 
Frequently RTF ("Rich Text Format") is used as a more portable way to exchange documents with basic formatting elements. The Fix-It may not be appropriate if you use RTF documents regularly. However, given that RTF documents are portable and can be opened by other software, it MAY be ok to just use software other then word to open the document.
This vulnerability is identified by CVE-2014-1761.
More details about the exploit can be found in Microsoft's "Security Research and Defense Blog" . It points out that EMET can help block the exploit if the "Mandatory ASLR" and the "Anti-ROP" features are selected. This may be of help if you can't stop opening RTFs altogether. Word 2013 appears vulnerable, but the exploit fails due to ASLR and "just" crashes Word 2013.
The blog post also includes indicators of compromise for the particular exploit seen.
Security researchers said they have uncovered bugs in Google's Android operating system that could allow malicious apps to send vulnerable devices into a spiral of endlessly looping crashes and possibly delete all data stored on them.
Apps that exploit the denial-of-service vulnerability work on Android versions 2.3, 4.2.2, 4.3, and possibly many other releases of the operating system, researcher Ibrahim Balic wrote in a blog post published last week. Attackers could exploit the underlying memory corruption bug by hiding attack code in an otherwise useful or legitimate app that is programmed to be triggered only after it is installed on a vulnerable handset. By filling the Android "appname" field with an extremely long value exceeding 387,000 characters, the app can cause the device to go into an endless series of crashes.
"We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets, which include 'bricking' a device or rendering it unusable in any way," Veo Zhang, a mobile threats analyst at Trend Micro, wrote in a blog post published Sunday. "In this context, the device is 'bricked' as it is trapped in an endless reboot loop."
I have been playing for a few years now with different network connected devices . As a "security guy", a lot of this research has been about vulnerability in these devices, or what we sometimes call the "Internet of Things". Over the years, I also learned to appreciated the ability of these devices to deliver physical context to some events that I may see in my logs, and I started to add the state reported from some of these devices to my syslog collector feeding into my SIM (right now not a "full SIM, but Splunk for the most part).
Here are a couple of experiences that I found helpful:
Servers (and many desktops) do provide a number of useful sensors. For example a sensor to detect opening the case, and various temperature sensors. The temperature sensor can easily be monitored with tools like Nagios. The case sensor is a bit more tricky. Yes, it can easily be monitored (nagios again), but I find that nobody resets the sensor in the BIOS after legitimately opening the case, and to avoid tampering with this setting, this requires a BIOS password. Not too many people are willing to set BIOS passwords and rather rely on the physical security of the data center itself. A switch port can also be used to detect disconnection of a server, and the power usage of your power distribution unit (PDU) can often be polled remotely. I haven't run into a PDU yet that can set a syslog/snmp message that would alert you of power use going to zero on a device. Usually they have alerts that will tell you about high load or high temperature.
There are a number of environmental sensors that are available outside of the server. Many AC systems can be polled remotely I have run into http APIs, some snmp and even syslog. This can alert you of an AC failure before the temperature in your server rises significantly. Some advanced systems will also provide overall "health" information but I haven't played much with that yet. Usually this information is used for remote maintenance. Of course, you can always add additional network readable sensors for temperature and humidity. There are also a number of options to detect more "catastrophic" conditions like water leaks and to automatically shut off water feeds if they are detected.
Access cards and door open/close sensors are pretty much standard in large office buildings these days. But the information isn't always easily accessible to the network security team. Being able to correlate an event with a person's presence (or absence) from an area can be important. Not just to identify the culprit, but also to provide context to an alert. For example, a work station sending excessive HTTP requests while a user isn't sitting in front of it can be an important indicator. You may be able to get signals if a screen saver is engadged or not on a system in order to monitor physical security or additionally verify if a user is using a system or not (nagios can do that easily in Linux. Not sure if there is an easy way to poll in Windows remotely if a screen saver is engadged).
My favorite example is always a hotel in Singapore that used the signal from an opening room door to dispatch an elevator to that respective floor.
Network cameras are pretty much everywhere these days. Some come with integrated motion sensors, or can detect motion by monitoring changes to the image. Either way, many of these cameras can send a signal whenver they detect motion, and even attach images. This can suplement some of the door sensors.
Anything else you recently integrated?
Awards on offer to students for cyber security advances
Dubai: In the spirit of fostering innovation and nurturing the progression of local talent in the field of information security, du invites students across the UAE to participate in its newly-launched Student InfoSec Award. The Student InfoSec Award is ...
Posted by InfoSec News on Mar 24http://www.zdnet.com/polands-military-strikes-new-deal-to-bolster-cybersecurity-starting-with-cryptography-7000027567/
Posted by InfoSec News on Mar 24Forwarded from: BSidesLV Info <info (at) bsideslv.org>
Posted by InfoSec News on Mar 24https://blogs.rsa.com/bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse/?utm_source=rss&utm_medium=rss&utm_campaign=bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse
Posted by InfoSec News on Mar 24http://krebsonsecurity.com/2014/03/sources-credit-card-breach-at-california-dmv/
Posted by InfoSec News on Mar 24http://www.infosecnews.org/documentary-to-be-filmed-on-the-life-of-the-last-original-navajo-code-talkers-chester-nez/