Critical Patches Issued for Microsoft Products, 07-11-2017

MS-ISAC ADVISORY NUMBER:
2017-063

DATE ISSUED:
07/11/2017

SUBJECT:
Critical Patches Issued for Microsoft Products, July 11, 2017

OVERVIEW:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:
• Microsoft Internet Explorer 9, 10, 11
• Microsoft Edge
• Microsoft .NET Framework
• Microsoft Windows: 7, 8.1, RT 8.1, 10
• Microsoft Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016
• Microsoft Windows Server Core Installations: 2008, 2008 R2, 2012, 2012 R2, 2016
• Microsoft Office Web Apps 2010
• Microsoft Office 2007, 2010, 2011, 2013, 2016
• Microsoft SharePoint Enterprise Server 2013, 2016

RISK:
Government:
• Large and medium government entities: High
• Small government entities: Medium
Businesses:
• Large and medium business entities: High
• Small business entities: Medium
Home users: Low

TECHNICAL SUMMARY:
Microsoft products are prone to multiple vulnerabilities, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found at the link below.
https://portal.msrc.microsoft.com/en-us/security-guidance

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:
• Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
• Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
• Apply the Principle of Least Privilege to all systems and services.

REFERENCES:
Microsoft:
https://portal.msrc.microsoft.com/en-us/security-guidance
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/f2b16606-4945-e711-80dc-000d3a32fc99

Advertisements

Multiple Vulnerabilities in Google Android

img_1344

 

DATE ISSUED:
07/07/2017

SUBJECT:
Multiple Vulnerabilities in Google Android OS Could Allow for Arbitrary Code Execution

OVERVIEW:
Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for arbitrary code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:
• Android OS builds utilizing Security Patch Levels prior to July 5, 2017

RISK:
Government:
• Large and medium government entities: High
• Small government entities: High
Businesses:
• Large and medium business entities: High
• Small business entities: High
Home users: High

TECHNICAL SUMMARY:
Google Android OS is prone to multiple vulnerabilities, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

• An arbitrary code execution vulnerability in Runtime. (CVE-2017-3544)
• Multiple arbitrary code execution vulnerabilities in Framework. (CVE-2017-0664, CVE-2017-0665, CVE-2017-0666, CVE-2017-0667, CVE-2017-0668, CVE-2017-0669, CVE-2017-0670)
• Multiple arbitrary code execution vulnerabilities in Libraries. (CVE-2017-0671, CVE-2016-2109, CVE-2017-0672)
• Multiple arbitrary code execution vulnerabilities in Media Framework. (CVE-2017-0540, CVE-2017-0673, CVE-2017-0674, CVE-2017-0675, CVE-2017-0676, CVE-2017-0677, CVE-2017-0678, CVE-2017-0679, CVE-2017-0680, CVE-2017-0681, CVE-2017-0682, CVE-2017-0683, CVE-2017-0684, CVE-2017-0685, CVE-2017-0686, CVE-2017-0688, CVE-2017-0689, CVE-2017-0690, CVE-2017-0691 ,CVE-2017-0692, CVE-2017-0693, CVE-2017-0694, CVE-2017-0695, CVE-2017-0696, CVE-2017-0697, CVE-2017-0698, CVE-2017-0699)
• Multiple arbitrary code execution vulnerabilities in System UI. (CVE-2017-0700, CVE-2017-0701, CVE-2017-0702, CVE-2017-0703, CVE-2017-0704)
• Multiple arbitrary code execution vulnerabilities in Broadcom Components. (CVE-2017-9417, CVE-2017-0705, CVE-2017-0706)
• Multiple arbitrary code execution vulnerabilities in HTC Components. (CVE-2017-0707, CVE-2017-0708, CVE-2017-0709)
• Multiple Arbitrary code execution in Kernel Components. (CVE-2017-6074, CVE-2017-5970, CVE-2015-5707, CVE-2017-0710, CVE-2017-7308, CVE-2014-9731)
• An arbitrary code execution vulnerability in MediaTek Components. (CVE-2017-0711)
• Multiple arbitrary code execution vulnerabilities in NVIDIA Components. (CVE-2017-0340, CVE-2017-0326)
• Multiple arbitrary code execution vulnerabilities in Qualcomm Components. (CVE-2017-8255, CVE-2016-10389, CVE-2017-8253, CVE-2017-8262, CVE-2017-8263, CVE-2017-8267, CVE-2017-8273, CVE-2016-5863, CVE-2017-8243, CVE-2017-8246, CVE-2017-8256, CVE-2017-8257, CVE-2017-8259, CVE-2017-8260 CVE-2017-8261, CVE-2017-8264, CVE-2017-8265, CVE-2017-8266, CVE-2017-8268, CVE-2017-8270, CVE-2017-8271, CVE-2017-8272, CVE-2017-8254, CVE-2017-8258, CVE-2017-8269)
• Multiple arbitrary code execution vulnerabilities in Qualcomm Closed-Source Components. (CVE-2014-9411, CVE-2014-9968, CVE-2014-9973, CVE-2014-9974, CVE-2014-9975, CVE-2014-9977, CVE-2014-9978, CVE-2014-9979, CVE-2014-9980, CVE-2015-0575, CVE-2015-8592, CVE-2015-8595, CVE-2015-8596, CVE-2015-9034, CVE-2015-9035, CVE-2015-9036, CVE-2015-9037, CVE-2015-9038, CVE-2015-9039, CVE-2015-9040, CVE-2015-9041, CVE-2015-9042, CVE-2015-9043, CVE-2015-9044, CVE-2015-9045, CVE-2015-9046, CVE-2015-9047, CVE-2015-9048, CVE-2015-9049, CVE-2015-9050, CVE-2015-9051, CVE-2015-9052, CVE-2015-9053, CVE-2015-9054, CVE-2015-9055, CVE-2015-9060, CVE-2015-9061, CVE-2015-9062, CVE-2015-9067, CVE-2015-9068, CVE-2015-9069, CVE-2015-9070, CVE-2015-9071, CVE-2015-9072, CVE-2015-9073, CVE-2016-10343, CVE-2016-10344, CVE-2016-10346, CVE-2016-10347, CVE-2016-10382, CVE-2016-10383, CVE-2016-10388, CVE-2016-10391, CVE-2016-5871, CVE-2016-5872)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:
We recommend the following actions be taken:
• Apply appropriate updates provided by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing.
• Remind users to download apps only from trusted vendors in the Play Store.
• Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:
Android:
https://source.android.com/security/bulletin/2017-07-01

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9968
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9973
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9974
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9977
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9978
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0575
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8592
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8595
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8596
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9034
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9035
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9036
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9037
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9038
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9039
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9040
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9041
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9043
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9044
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9047
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9050
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9053
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9054
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9055
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9060
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9062
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9067
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9068
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9070
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5863
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10343
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10344
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10347
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10382
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10383
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10388
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10389
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10391
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0340
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0326
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0673
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0674
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0675
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0676
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0677
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0678
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0679
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0680
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0681
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0682
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0683
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0684
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0686
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0688
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0689
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0690
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0692
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0694
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0697
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0699
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0665
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0666
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0667
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0668
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0669
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0670
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0671
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0672
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0700
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0701
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0702
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0703
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0706
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0708
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0709
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0710
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0711
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5970
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8255
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8253
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8262
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8273
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8246
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8256
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8257
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8259
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8260
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8261
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8264
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8266
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8270
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8254
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9417

24×7 Security Operations Center
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
SOC@cisecurity.org – 1-866-787-4722

The Petya ransomware looks like a cyber attack

The haze of yesterday’s massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hack’s reach touched some of the country’s most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.

The ostensible purpose of all that damage was to make money — and yet there’s very little money to be found. Most ransomware flies under the radar, quietly collecting payouts from companies eager to get their data back and decrypting systems as payments come in. But Petya seems to have been incapable of decrypting infected machines, and its payout method was bizarrely complex, hinging on a single email address that was shut down almost as soon as the malware made headlines. As of this morning, the Bitcoin wallet associated with the attack had received just $10,000, a relatively meager payout by ransomware standards.

It leads to an uncomfortable question: what if money wasn’t the point? What if the attackers just wanted to cause damage to Ukraine? It’s not the first time the country has come under cyberattack. (These attacks have typically been attributed to Russia.) But it would be the first time such an attack has come in the guise of ransomware, and has spilled over so heavily onto other countries and corporations.

Because the virus has proven unusually destructive in Ukraine, a number of researchers have come to suspect more sinister motives at work. Peeling apart the program’s decryption failure in a post today, Comae’s Matthieu Suiche concluded a nation state attack was the only plausible explanation. “Pretending to be a ransomware while being in fact a nation state attack,” Suiche wrote, “ is in our opinion a very subtle way from the attacker to control the narrative of the attack.”

Another prominent infosec figure put it more bluntly: “There’s no ******* way this was criminals.”

There’s already mounting evidence that Petya’s focus on Ukraine was deliberate. The Petya virus is very good at moving within networks, but initial attacks were limited to just a few specific infections, all of which seem to have been targeted at Ukraine. The highest-profile one was a Ukrainian accounting program called MeDoc, which sent out a suspicious software update Tuesday morning that many researchers blame for the initial Petya infections. Attackers also planted malware on the homepage of a prominent Ukraine-based news outlet, according to one researcher at Kaspersky.

In each case, the infections seem to specifically target Ukraine’s most vital institutions, rather than making a broader attempt to find lucrative ransomware targets. These initial infections are particularly telling because they were directly chosen by whoever set the malware in motion. Computer viruses often spread farther than their creators intended, but once Petya was on the loose, the attackers would have had no control over how far it reached. But the attackers had complete control over where they planted Petya initially, and they chose to plant it by some of the most central institutions in Ukraine.

The broader political context makes Russia a viable suspect. Russia has been engaged in active military interventions in Ukraine since former president Viktor Yanukovych was removed from power in 2014. That has included the annexation of Crimea and the active movement of troops and equipment in the eastern region of the country, but also a number of more subtle activities. Ukraine’s power grid came under cyberattack in December 2015, an attack many interpreted as part of a hybrid attack by Russia against the country’s infrastructure. That hybrid-warfare theory extends to more conventional guerrilla attacks: the same day that Petya ripped through online infrastructure, Ukrainian colonel Maksim Shapoval was killed by a car bomb attack in Kiev.

All that evidence is still circumstantial, and there’s no hard link between yesterday’s attacks and any nation state. It could be Ukraine simply presented a soft target, and the attackers screwed up their payment and decryption systems out of simple carelessness. Functional or not, the software involved still has strong ties to traditional ransomware systems, and even if the attackers didn’t make much money off ransom payments, Petya was still collecting credentials and other data from infected machines, which could be valuable fodder for future attacks. That has led researchers like F-Secure’s Sean Sullivan to hold off on nation-state suspicions. “Maybe there’s multiple ways they’re working the money angle, but I think ultimately it’s about money,” Sullivan told me. “Tigers don’t change their stripes.”

Still, the line between common criminals and state agents can be difficult to parse. A recent indictment in the Yahoo hacking case charged Russian officials alongside freelance hackers, and the division of labor was often unclear. Criminals can be enlisted as privateers, or agents can adopt criminal tactics as a way of disguising themselves. If the suspicions around Petya are correct, that line may be growing even thinner, as globe-spanning attacks get lost in the fog of war. With no clear path to a firm attribution, we may never be able to prove who was responsible for this week’s attacks, or what they hoped to achieve. For anyone digging out a Petya-bricked computer system, that clean getaway is adding insult to injury.

Story reported by Russell Brandom (The Verge)

Snapchat map update raises child safety worries

_96608647_37561a

An update to Snapchat that shows publicly posted images on a searchable map has raised safety concerns among parents.

Snap Map lets people search for places such as schools and see videos and pictures posted by children inside.

It also lets people locate their “friends” on a map that is accurate enough to determine where people live.

Snap, the company behind Snapchat, stressed to the BBC that location sharing was an opt-in feature.

Exact location
Snap Map was launched on Wednesday and was promoted as a “new way to explore the world”.

Video clips and photos that members have posted publicly can be discovered on the map, while members who have chosen to share their location can also be seen on the map by those they have added as “friends”.

However, members can add people they have never met to their friends list too.

A message to parents posted by St Peter’s Academy in Staffordshire warned that the location-sharing feature lets people “locate exactly where you are, which building you are in and exact whereabouts within the building”.

One parent described the update as “dangerous” while another said she could not find the setting to disable it.

People have expressed concern online that the app could be used for stalking or working out exactly where somebody lives.

“If you zoom right in on this new Snapchat map thing it literally tells you where everyone lives? Like exact addresses – bit creepy no?” wrote one user called Leanne.

“This new Snapchat update is awful. An invitation for stalkers, kidnappers, burglars and relationship trust issues,” suggested Jade.

Snap told the BBC that accurate location information was necessary to allow friends to use the service to meet, for example at a restaurant or crowded festival, and said points of interest on the map, such as schools, were provided by third-party mapping service Mapbox.

Concerned parents could find out more information on its Privacy Center website, a spokesman told the BBC.

“With Snap Map, location sharing is off by default for all users and is completely optional. Snapchatters can choose exactly who they want to share their location with, if at all, and can change that setting at any time,” a Snap spokesman said.

“It’s also not possible to share your location with someone who isn’t already your friend on Snapchat, and the majority of interactions on Snapchat take place between close friends.”

How to switch off Snap Map location sharing

When in photo-taking mode, pinch the screen to open Snap Map
Touch the settings cog in the top right corner of the screen
Tap “Ghost Mode” to switch off location sharing
Photos and videos posted to Snapchat’s public ‘Our Story’ will still be discoverable on the map

Sears says some Kmart customer credit card numbers compromised

1496289321918

Sears Holdings said on Wednesday it found a security breach involving “unauthorized” credit card activity following some customer purchases at its Kmart stores.

Certain credit card numbers were “compromised” in the event, the company said in an emailed statement, without providing exact figures.

No personal information such as contact details and social security numbers of customers were obtained by those responsible for the breach, Sears said.

“There is also no evidence that kmart.com or Sears customers were impacted,” it said.

Facebook alert: Video Sent in Message

Cyber Crime Response Agency would like to advise and warn all Facebook users that a current hacking attempt is ongoing. The hacking attempt will appear in the form of a video, sent to you on messenger. The video will appear with your profile picture and your name. Do not click on this, as it will cause your account to be disabled. According to Facebook Help Page, there is no suggested fix for this at the moment.

Employment Scam Targets College Students

fbi-seal

In a public service message from the Federal Bureau of Investigation, released the 18th of January, the FBI spoke of an employment scam, targeting college students for the ending result of identity theft. Their public service announcement said as follows:

College students across the United States continue to be targeted in a common employment scam. Scammers advertise phony job opportunities on college employment websites, and/or students receive e-mails on their school accounts recruiting them for fictitious positions. This “employment” results in a financial loss for participating students.

How the scam works:

-Scammers post online job advertisements soliciting college students for administrative positions.
-The student employee receives counterfeit checks in the mail or via e-mail and is instructed to deposit the checks into their personal checking account.
-The scammer then directs the student to withdraw the funds from their checking account and send a portion, via wire transfer, to another individual. Often, the transfer of funds is to a “vendor”, purportedly for equipment, materials, or software necessary for the job.
-Subsequently, the checks are confirmed to be fraudulent by the bank.
The following are some examples of the employment scam e-mails:

“You will need some materials/software and also a time tracker to commence your training and orientation and also you need the software to get started with work. The funds for the software will be provided for you by the company via check. Make sure you use them as instructed for the software and I will refer you to the vendor you are to purchase them from, okay.”

“I have forwarded your start-up progress report to the HR Dept. and they will be facilitating your start-up funds with which you will be getting your working equipment from vendors and getting started with training.”

“Enclosed is your first check. Please cash the check, take $300 out as your pay, and send the rest to the vendor for supplies.”

Consequences of participating in this scam:

-The student’s bank account may be closed due to fraudulent activity and a report could be filed by the bank with a credit bureau or law enforcement agency.
-The student is responsible for reimbursing the bank the amount of the counterfeit checks.
-The scamming incident could adversely affect the student’s credit record.
-The scammers often obtain personal information from the student while posing as their employer, leaving them vulnerable to identity theft.
-Scammers seeking to acquire funds through fraudulent methods could potentially utilize the money to fund illicit criminal or terrorist activity.

Tips on how to protect yourself from this scam:

-Never accept a job that requires depositing checks into your account or wiring portions to other individuals or accounts.
-Many of the scammers who send these messages are not native English speakers. Look for poor use of the English language in e-mails such as incorrect grammar, capitalization, and tenses.
-Forward suspicious e-mails to the college’s IT personnel and report to the FBI. Tell your friends to be on the lookout for the scam.
-If you have been a victim of this scam or any other Internet-related scam, you may file a complaint with the FBI’s Internet Crime Complaint Center at http://www.IC3.gov and notify your campus police.