U.S. intelligence chief warns of cyber, ‘homegrown’ security threats

WASHINGTON (Reuters) – Attacks by “homegrown” Islamist extremists are among the most imminent security threats facing the United States in 2016, along with dangers posed overseas by Islamic State and cyber security concerns, the top U.S. intelligence official said on Tuesday.

In his annual assessment of threats to the United States, Director of National Intelligence James Clapper warned that fast-moving cyber and technological advances “could lead to widespread vulnerabilities in civilian infrastructures and U.S. government systems.”

In prepared testimony before the Senate Armed Services and Intelligence Committees, Clapper outlined an array of other threats from Russia and North Korean nuclear ambitions to instability caused by the Syrian migrant crisis.

“In my 50 plus years in the intelligence business I cannot recall a more diverse array of crises and challenges than we face today,” Clapper said.

Islamic State poses the biggest danger among militant groups because of the territory it controls in Iraq and Syria, and is determined to launch attacks on U.S. soil, Clapper said. It also has demonstrated “unprecedented online proficiencies,” he said.

While the United States “will almost certainly remain at least a rhetorically important enemy” for many foreign militant groups, “homegrown violent extremists … will probably continue to pose the most significant Sunni terrorist threat to the U.S. homeland in 2016,” he said, referring to Sunni Muslim jihadists.

“The perceived success” of attacks by such extremists in Europe and San Bernardino, California, “might motivate others to replicate opportunistic attacks with little or no warning,” Clapper said.

A married couple inspired by Islamist militants shot and killed 14 people in San Bernardino in December.

General Vincent Stewart, director of Defense Intelligence Agency, told the Senate Armed Services Committee that Islamic State aims to conduct more attacks in Europe during 2016 and has ambitions to attack inside the United States.

The group is taking advantage of the refugee flow from Syria’s civil war to hide militants among them and is adept at obtaining false documentation, Clapper said.

Al Qaeda affiliates, most notably the one in Yemen known as Al Qaeda in the Arabian Peninsula, have proven resilient and are positioned to make gains this year despite pressure from Western counterterrorism operations, Clapper said.

He cited threats from Russia’s increasingly assertive international policies, saying “We could be into another Cold War-like spiral.”

U.S. intelligence assesses that North Korea, which launched a satellite into orbit last weekend, is committed to developing a long-range nuclear armed missile that can reach the United States and has carried out some steps towards fielding a mobile intercontinental ballistic missile system, Clapper said.

He said North Korea has followed through on publicly stated plans to re-start a plutonium production reactor and could begin to assemble a plutonium stockpile within months.

CIA director John Brennan said one of North Korean leader Kim Jong Un’s objectives in conducting nuclear and missile tests is to advance efforts by North Korea to “market” such technology, presumably to other rogue regimes around the world.

(Writing by Doina Chiacu; Editing by Mohammad Zargham and Alistair Bell)

National Security Agency merging offensive, defensive hacking operations

WASHINGTON (Reuters) – The U.S. National Security Agency on Monday outlined a reorganization that will consolidate its spying and domestic cyber-security operations, despite recommendations by a presidential panel that the agency focus solely on espionage.

The NSA said the reorganization, known as “NSA21,” or NSA in the 21st century, will take two years to complete, well into the first term of whoever is elected president in November.

A review board appointed by President Barack Obama recommended in December 2013 that the NSA concentrate solely on foreign intelligence gathering. The board’s recommendations came as the United States was reeling from disclosures from former NSA contractor Edward Snowden about the collection of vast amounts of domestic and international communications data.

Under the board’s plan, a separate agency would have been housed within the Department of Defense with responsibility for enhancing the security of government networks and assisting corporate computer systems.

Ignoring that recommendation, the Obama administration will replace its separate spying and cyber-defense directorates with a unified organization responsible for both espionage and helping defend U.S. computer networks.

The “new structure will enable us to consolidate capabilities and talents to ensure that we’re using all of our resources to maximum effect to accomplish our mission,” NSA Director Mike Rogers said in a workforce address made publicly available on Monday.

Some technology specialists and privacy advocates have said the government agency responsible for building and exploiting flaws in computer software for spying purposes should not be the same one entrusted to warn companies about detected software weaknesses.

The presidential panel cited concerns about “potential conflicts of interest” between the NSA’s offensive and defensive objectives, in addition to the need to restore confidence with the U.S. technology industry to induce better cyber-security collaboration.

“I hope the NSA will explain its strategy for continuing to rebuild trust with the private sector,” Peter Swire, a professor of law at the Georgia Institute of Technology, who served on the five-member review group, said on Monday.

In November, the NSA told Reuters it informed U.S. technology firms more than 90 percent of the time about serious software flaws it found. The spy agency did not say how quickly it alerted those firms, leaving open the possibility it exploits software vulnerabilities before sharing details about them.

(Reporting by Dustin Volz; Editing by Peter Cooney)

Hackers attack 20 million accounts on Chinese shopping site

BEIJING (Reuters) – Hackers in China attempted to access over 20 million active accounts on Alibaba Group Holding Ltd’s Taobao e-commerce website using Alibaba’s own cloud computing service, according to a state media report posted on the Internet regulator’s website.

Analysts said the report from The Paper led to the price of Alibaba’s U.S.-listed shares falling as much as 3.7 percent in late Wednesday trade.

An Alibaba spokesman on Thursday said the company detected the attack in “the first instance”, reminded users to change passwords, and worked closely with the police investigation.

Chinese companies are grappling a sharp rise in the number of cyber attacks, and cyber security experts say firms have a long way to go before defenses catch up to U.S. counterparts.

In the latest case, hackers obtained a database of 99 million usernames and passwords from a number of websites, according to a separate report on a website managed by the Ministry of Public Security.

The hackers then used Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts, the ministry website said.

The hackers started inputting the details into Taobao in mid-October and were discovered in November, at which time Alibaba immediately reported the case to police, the ministry website said. The hackers have since been caught, it said.

Alibaba’s systems discovered and blocked the vast majority of log-in attempts, according to the ministry website.

The hackers used compromised accounts to fake orders on Taobao, a practice known as “brushing” in China and used to raise sellers’ rankings, the newspaper said. The hackers also sold accounts to be used for fraud, it said.

Alibaba’s spokesman said the hackers rented the cloud computing service, but declined to comment on security measures designed to stop the system being used for the attack. He said they could have used any such service, and that the attack was not aided by any possible loopholes in Alibaba’s platform.

“Alibaba’s system was never breached,” the spokesman said.

The number of accounts, 20.59 million, represents about 1 out of every 20 annual active buyers on Alibaba’s China retail marketplaces.

(Reporting by Paul Carsten; Additional reporting by Beijing Newsroom; Editing by Christopher Cushing)

Ex-government employee pleads guilty in nuclear secrets cyber attack scheme

A former government employee who was accused of trying to orchestrate a cyber attack against computers that contained information about nuclear weapons pleaded guilty to a federal computer crime, the Department of Justice announced in a news release on Tuesday afternoon.

Prosecutors said 62-year-old Charles Harvey Eccleston, a former employee of the Nuclear Regulatory Commission, admitted his guilt in the attempted “spear-phishing” attack that took place last January. Eccleston was arrested after an undercover operation in which prosecutors said the accused dealt with FBI employees who had been posing as foreign government officials.

Spear-phishing is a type of cyber attack in which people send authentic-looking emails to their targets, encouraging the recipients to open them. However, the emails contain malicious code.

According to the Department of Justice, Eccleston sent an email that he believed contained a virus to about 80 Department of Energy employees, thinking the code would allow a foreign country to infiltrate or harm their computers. Prosecutors said Eccleston targeted employees “whom he claimed had access to information related to nuclear weapons or nuclear materials.”

The code was harmless and was actually crafted by the FBI, according to the release.

Eccleston, who thought he would be paid roughly $80,000 for sending the spear-phishing email, was arrested last March during a meeting with an undercover FBI employee, prosecutors said.

“Eccleston admitted that he attempted to compromise, exploit and damage U.S. government computer systems that contained sensitive nuclear weapon-related information with the intent of allowing foreign nations to gain access to that information or to damage essential systems,” Assistant Attorney General John P. Carlin said in a statement announcing the guilty plea.

Prosecutors said Eccleston was fired from his job with the Nuclear Regulatory Commission in 2010. He moved to the Philippines the following year and had been living there until his arrest.

The alleged cyber attack wasn’t the first time that law enforcement heard Eccleston’s name.

Prosecutors said the FBI first learned about Eccleston in 2013 after he walked into an embassy in the Philippines and offered to sell a list of 5,000 U.S. government email accounts for $18,800. If the nation wasn’t interested, Eccleston said he would offer the list to China, Iran or Venezuela.

That November, the FBI sent undercover employees to meet with Eccleston and had them pose as foreign government officials. One FBI employee bought a list of 1,200 email addresses for $5,000, prosecutors said, though an investigation found the accounts were publicly available.

Prosecutors said Eccleston communicated with the employees for “several months,” and offered to help design the spear-phishing emails during a meeting with an undercover FBI employee in June 2014. He made the bogus emails look like advertisements for a nuclear energy conference.

Eccleston pleaded guilty to attempted unauthorized access and intentional damage to a protected computer and faces 24 to 30 months in prison and a $95,000 fine when he is sentenced in April, prosecutors announced.

Company develops ‘tech tattoos’ to store medical, financial info

A software company has created a “tech tattoo” that allows a person to store their medical and financial information inside his or her body, according to a new report from CBS New York.

Officials from Chaotic Moon, the company behind the tattoos, told the television station that the tattoos can monitor a patient’s vital signs and other medical information and wirelessly send the data to doctors. The tattoos, which use special ink and microchips, can last up to a year and may replace the need for people to visit doctors for their annual physicals, according to the report.

The tattoos could also one day be used to help locate lost children or monitor the vital signs of soldiers in combat, the television station reported, and might also eliminate the need for wallets because people will be able to store their credit card information and identification in them.

Reports: U.S., British spies hacked Israeli air force

JERUSALEM (Reuters) – The United States and Britain have monitored secret sorties and communications by Israel’s air force in a hacking operation dating back to 1998, according to documents attributed to leaks by former U.S. spy agency contractor Edward Snowden.

Israel voiced disappointment at the disclosures, which were published on Friday in three media outlets and might further strain relations with Washington after years of feuding over strategies on Iran and the Palestinians.

Israel’s Yedioth Ahronoth daily said the U.S. National Security Agency, which specializes in electronic surveillance, and its British counterpart GCHQ spied on Israeli air force missions against the Palestinian enclave Gaza, Syria and Iran.

The spy operation, codenamed “Anarchist”, was run out of a Cyprus base and targeted other Middle East states too, it said. Its findings were mirrored by stories in Germany’s Der Spiegel news magazine and the online publication The Intercept, which lists Snowden confidant Glenn Greenwald among its associates.

“This access is indispensable for maintaining an understanding of Israeli military training and operations and thus an insight to possible future developments in the region,” The Intercept quoted a classified GCHQ report as saying in 2008.

That year, Israel went to war against Hamas guerrillas in Gaza and began issuing increasingly vocal threats to attack Iranian nuclear facilities if it deemed international diplomacy insufficient to deny its arch-foe the means of making a bomb.

Asked for comment, the United States and Britain said through spokespeople for their embassies in Israel that they do not publicly discuss intelligence matters.

NOT “DEEPEST KINGDOM OF SECRETS”

Israeli Energy Minister Yuval Steinitz, a member of Prime Minister Benjamin Netanyahu’s security cabinet, sought to play down the potential damage but said lessons would be learned.

“I do not think that this is the deepest kingdom of secrets, but it is certainly something that should not happen, which is unpleasant,” he told Israel’s Army Radio. “We will now have to look and consider changing the encryption, certainly.”

With the Netanyahu government and Obama administration at loggerheads over the U.S.-led nuclear agreement with Iran, there have been a series of high-profile media exposes in recent months alleging mutual espionage between the allies.

Israel insists that it ceased such missions since it ran U.S. Navy analyst Jonathan Pollard as an agent in the 1980s.

“We know that the Americans spy on the whole world, and also on us, also on their friends,” Steinitz said. “But still, it is disappointing, inter alia because, going back decades already, we have not spied nor collected intelligence nor hacked encryptions in the United States.”

The Intercept report included what it said were images of armed Israeli drones hacked from onboard cameras’ live feeds.

Israel neither confirms nor denies having armed drones, though one of its senior military officers was quoted as acknowledging their existence in a 2010 U.S. diplomatic cable that was previously disseminated by WikiLeaks.

Yedioth said that the hacking revelations could hurt Israeli drone sales to Germany should Berlin worry about the aircraft networks’ security. But Steinitz brushed off that possibility.

“Every country carries out its own encryption,” he said.

Germany said on January 12 it would lease Heron TP drones from state-owned Israel Aerospace Industries (IAI).

(Writing by Dan Williams; Editing by Mark Heinrich)

Hackers target HSBC, disrupt online banking for UK customers

Hackers targeted one of the world’s largest banks on Friday morning, preventing some of HSBC’s customers in the United Kingdom from being able to access their online accounts.

HSBC issued a statement saying it “successfully defended” against a denial-of-service attack, in which hackers try to prevent people from accessing a given site by overwhelming it with traffic.

The company said the attack targeted its Internet banking system for the United Kingdom, but no transactions were affected. However, some United Kingdom customers who tried to log into their accounts Friday were greeted by a message that said online banking was unavailable.

That message did not appear on the company’s website for online banking in the United States.

HSBC tweeted that its service was recovering, though it was still seeing some denial-of-service attacks some five hours after it initially reported the incident. The bank added it was “working closely with law enforcement authorities to pursue the criminals responsible.”

About 17 million United Kingdom residents are HSBC customers, the bank says. It apologized to all those inconvenienced by the outage, and encouraged them to visit a branch for urgent issues.

It was the second time this month that HSBC customers had an issue with online banking.

The company tweeted that “an internal technical issue” prevented some people from accessing their accounts on Jan. 4 and Jan. 5. In a video tweeted from the company’s account, an HSBC official said that was not caused by a cyber attack and that customers’ data was never at risk.

HSBC has about 6,100 offices in more than 70 countries and territories across the globe, according to its website.

Canada stops sharing some spy info with allies after breach

OTTAWA (Reuters) – Canada has stopped its electronic spy agency from sharing some data with key international allies after discovering the information mistakenly contained personal details about Canadians, government officials said on Thursday.

Ottawa acted after learning that the Communications Security Establishment (CSE) agency had failed to properly disguise metadata – the numbers and time stamps of phone calls but not their content – before passing it on to their international partners.

“CSE will not resume sharing this information with our partners until I am fully satisfied the effective systems and measures are in place,” Defense Minister Harjit Sajjan said in a statement.

Sajjan, who has overall responsibility for the agency, did not say when Canada had stopped sharing the data in question.

Canada is part of the Five Eyes intelligence sharing network, along with the United States, Britain, Australia and New Zealand. CSE, like the U.S. National Security Agency, monitors electronic communication and helps protect national computer networks.

While the agency is not allowed to specifically target Canadians or Canadian corporations, it can scoop up data about Canadians while focusing on other targets.

Sajjan, blaming technical deficiencies at CSE for the problems, said the metadata that Canada shared did not contain names or enough information to identify individuals and added: “The privacy impact was low.”

He made the announcement shortly after an official watchdog that monitors CSE revealed the metadata problem. The watchdog said CSE officials themselves had realized they were not doing enough to disguise the information they shared.

An NSA program to vacuum up Americans’ call data was exposed publicly by former NSA contractor Edward Snowden in 2013 and prompted questions about the CSE’s practices.

(Reporting by David Ljunggren; Editing by Diane Craft)

Wendy’s probing likely fraudulent payment-card charges

(Reuters) – Burger chain operator Wendy’s Co said on Wednesday it was investigating reports of unusual activity with payment cards used at some of its 5,700 locations in the United States.

“Reports indicate fraudulent charges may have occurred elsewhere after payment cards were legitimately used at some restaurants,” Wendy’s spokesman Bob Bertini told Reuters in an email statement.

Large retailers such as Target Corp and Home Depot Inc have been victims of security breaches in recent years. Gourmet sandwich chain Jimmy John’s was also breached in 2014.

“Until this investigation is completed, it is difficult to determine with certainty the nature or scope of any potential incident,” Bertini said. “We have hired a cyber security firm to assist, but are not disclosing the name at this point.”

Security blog Krebs on Security first reported the development earlier in the day.

(Reporting by Subrat Patnaik and Sruthi Ramakrishnan in Bengaluru; Editing by Savio D’Souza and Maju Samuel)

Just how smart can you make your home?

NEW YORK (Reuters) – Carlos Espinosa, a design professional based in Boulder, Colorado, has a completely decked-out “smart” home – light switches he can control from his mobile phone, a security system, moisture detectors that alert him to leaks and integrated stereo speakers.

The most life-changing aspect of this set-up? Espinosa says it is how the porch lights turn on when he rounds the corner to his home late at night, responding to a command from his phone. The front door also unlocks as he approaches.

(An experiment during the last Olympic Games to make the lights flash every time the United States won a gold medal turned out to be annoying.)

His so-called smart technology system took about a year and an estimated few hundred dollars worth of equipment to perfect.

Smart home gizmos are poised to make up a $60 billion segment of the global industry, according to research firm MarketsandMarkets, but consumers only need to spend just a few hundred a pop on upgrades that will make their lives more automated – and may even increase the value of a home.

Espinosa, for example, spent about $300 for ten Philips Hue lightbulbs and the SmartThings hub that integrates with his phone to turn them on and off.

His August Smart Lock – which can be unlocked from afar with the phone – runs about $200 now. Over time, he has built up his Sonos sound system, with speakers controlled by an app, that currently costs $199 for an introductory unit.

Espinosa also pays a monthly fee for his home security system that is bundled through Comcast, his cable television service provider.

That is a far cry from the $5,000 Samsung refrigerator showcased at the Consumer Electronics Show in January that has three cameras inside and can send an alert when you need milk.

Matt McAdoo, a sales consultant for Keller Williams real estate in Buda, Texas, and also an installer, charges $95 an hour to set up home automation systems, with jobs ranging from a day to a week.

McAdoo says many homebuilders are pre-wiring houses for easy installation of home security systems, doorbell webcams and automated light switches.

“It’s not going to make or break the sale of the house, but it’s a plus if it’s already in there,” he says.

He knows this first-hand, as he sold his own souped-up house recently for $285,000, well above identical houses in the development that sell for $265,000.

The house had wireless thermostats, surveillance cameras on every corner of the building, a programmable lock, cable jacks placed high up walls for flat-panel TVs, and even a centralized vacuum system built into the walls – plug in and the dirt goes through the pipes.

Danny Hertzberg, a Miami Beach-based real estate agent with Coldwell Banker, says that for about $2,000 sellers can upgrade their houses with the kind of features that buyers want – which are so far restricted to smart thermostats, lights and security systems.

“Maybe four or five years ago, if you wanted these things, you had to hire a professional company, spending about $30,000 and opening walls. Now everything is so simple and DIY,” Hertzberg says.

About half of the homes Hertzberg sees now have a Nest thermostat, which can be controlled by your phone, or an equivalent. One-third have automated lighting.

The goal of homeowners with all of these smart-home upgrades is convenience.

“What we have learned, for a considered purchase that’s $200, they are looking for a clear value to them,” says Jason Johnson, chief executive of August.

In his own house, Johnson says the peak of convenience is being able to lie in bed and ask his Amazon.com Echo system, which responds to voice commands to control connected devices, to turn off the lights in the living room.

For fun, Johnson likes to voice command the five locks he has in his house through his iPhone: “I say, ‘Siri, lock my doors,’ and all of them go at the same time. It sounds like lockdown at a prison.”

(Editing by Lauren Young and G Crosse)