Companies look beyond firewalls in cyber battle with hackers

TEL AVIV (Reuters) – With firewalls no longer seen as enough of a defense against security breaches, companies are looking at new tools to foil hackers trying to enter a computer network.

U.S. and Israeli startups are leading the way, with new approaches such as “honeytraps” that lure a hacker to fake data or “polymorphic” technology that constantly changes the structure of applications running on a computer.

Some of the technology is still in the early stages and it remains to be seen whether it will be good enough to outfox the hackers.

But with corporate giants such as Sony and Twitter Inc facing high-profile hacks in recent years, companies are desperate for new ideas to make sure financial, personal and corporate data stays safe.

“We view this (deception technologies) as a $3 billion market over the next three years, with Israel and Silicon Valley being the epicenter of this innovation wave,” said Daniel Ives, a senior technology analyst at FBR Capital Markets.

TopSpin Security, Illusive Networks, Cymmetria and GuardiCore in Israel, California-based TrapX and Attivo Networks are among a handful of start-ups forging ahead with deception technology. Israel’s Morphisec and U.S. Shape Security are developing “polymorphic” systems.

Many of those companies use techniques partly developed in the U.S. and Israeli military that were taken to startups by veterans such as Gadi Evron, the head of Cymmetria and of Israel’s Computer Emergency Response Team.

TrapX Security offers DeceptionGrid, a technology using fake information that triggers a security alert.

TrapX clients include Israel’s central bank, U.S. hospital chain HCA, Bezeq, Israel’s largest telecoms group, and Union Bank of Israel, according to Asaf Aviram, sales director for Israel and emergent markets at TrapX.

TopSpin Chief Executive Doron Kolton said his clients include one of Israel’s top five banks, a large U.S. hospital and a mobility technology company. The product is resold by Optiv Security in the United States and Benefit in Israel.

EARLY DAYS

While still a fraction of the overall cybersecurity market, Gartner, a leading technology consultancy, sees 10 percent of businesses using deception tactics by 2018.

But Gartner analyst Laurence Pingree noted that they “have so far had only nascent adoption” as many of the companies don’t yet understand the technology.

“Educating security buyers on its usefulness will be crucial,” he said.

Some in the industry note that several companies including FireEye and CrowdStrike tried to launch similar products three or four years ago before pulling back although analysts say the technologies have improved greatly in the past two years.

“A lot of companies are looking at it but it’s still early days,” said a security executive with a Fortune 500 company.

He said deployments were quite limited, with most trials where business test the product on a limited basis at no cost.

Others said hackers may quickly be able to detect the traps.

“They will be challenged by the fact that (some) hackers are so sophisticated they might detect decoy servers or fake data,” said Ziv Mador, head of research at Chicago-based cybersecurity firm Trustwave.

The technology could offer a second layer of defense to firewalls, which cannot always block malicious attempts, he said, and did not rule out Trustwave offering deception tools in the future.

TopSpin’s Kolton also noted that deception would be “part of a bigger solution” and to “be combined with other things”.

TRAIL OF BREADCRUMBS

The system developed by TopSpin, whose investors include Check Point Software Technologies co-founder Shlomo Kramer, engages attackers once they have penetrated the network. It leads hackers to decoys by sprinkling “breadcrumbs”, such as fake credentials.

While the idea of a honeypot is not new, in the past they were used to alert IT administrators that there was a hacker in the system.

With more advanced technology they slow the hacker and set off tools to stop them getting further into the system. If they follow the trail to the trap, the company knows they are a hacker.

“When someone hits a honeypot it’s malicious activity,” Kolton said.

Attivo’s website says their system lures attackers into revealing themselves when they start to look for “high-value assets”. It also promises no false-alarms, a problem with traditional detection systems.

Other tools are being developed that would prevent hackers from penetrating a network entirely.

Morphisec, backed by Jerusalem Venture Partners, Deutsche Telekom and GE Ventures, has developed technology that randomly changes the structure of applications running on the computer.

“When an attack seeks its target it expects to find a certain memory structure. With Morphisec it finds something different,” Morphisec CEO Ronen Yehoshua said.

Shape Security of California also uses such “polymorphic” technology.

While these new ideas have mainly been generated by start-up companies, investors say bigger, more established security players are interested.

“I’d say that many antivirus companies are already looking into building similar technologies on their own or buying them,” JVP managing partner Gadi Tirosh said.

(Additional reporting by Jim Finkle in Boston; Editing by Anna Willard)

White House announces major background checks overhaul following data breach

WASHINGTON (Reuters) – The U.S. government will set up a new agency to do background checks on employees and contractors, the White House said on Friday, after a massive breach of U.S. government files exposed the personal data of millions of people last year.

As a part of a sweeping overhaul, the Obama administration said it will establish a National Background Investigations Bureau. It will replace the Office of Personnel Management’s (OPM) Federal Investigative Services (FIS), which currently conducts investigations for over 100 Federal agencies.

The move, a stiff rebuke for FIS and OPM, comes after last year’s disclosure that a hack of OPM computers exposed the names, addresses, Social Security numbers and other sensitive information of roughly 22 million current and former federal employees and contractors, as well as applicants for federal jobs and individuals listed on background check forms.

Unlike FIS, the new agency’s information systems will be handled by the Defense Department, making it even more central to Washington’s effort to bolster its cyber defenses against constant intrusion attempts by hackers and foreign nationals.

“We can substantially reduce the risk of future cyber incidents” by applying lessons learned in recent years, said Michael Daniel, White House cyber security policy coordinator, on a conference call with reporters.

The White House gave no timeline for implementing the changes, but said some would begin this year. It will seek $95 million more in its upcoming fiscal 2017 budget for information technology development, according to a White House fact sheet.

‘NOT THERE YET’

Officials have privately blamed the OPM data breach on China, though security researchers and officials have said there is no evidence Beijing has maliciously used the data trove.

Controversy generated by the hack prompted several congressional committees to investigate whether OPM was negligent in its cyber security practices. OPM Director Katherine Archuleta resigned last July as the government intensified a broad push to improve cyber defenses and modernize systems.

“Clearly we’re not there yet,” Admiral Mike Rogers, head of the National Security Agency, said at a cyber security event in Washington this week when asked about U.S. preparedness against hacks. The damage done by cyber attacks, he added, “is going to get worse before it gets better.”

OPM has been plagued by a large backlog of security clearance files, prompting it to rely on outside contractors for assistance, possibly compromising cyber security.

The Defense Department and OPM did not respond when asked if the government will still rely on support from contractors.

Representative Jason Chaffetz, the Republican chairman of a House of Representatives panel that has been looking into the issue, said Friday’s announcement fell short.

“Protecting this information should be a core competency of OPM,” Chaffetz said in a statement. “Today’s announcement seems aimed only at solving a perception problem rather than tackling the reforms needed to fix a broken security clearance process.”

(Additional reporting by Mark Hosenball and Andrea Shalal; editing by Kevin Drawbaugh, Susan Heavey and Alan Crosby)

Ukraine to review cyber defenses after airport targeted from Russia

KIEV (Reuters) – Ukrainian authorities will review the defenses of government computer systems, including at airports and railway stations, after a cyber attack on Kiev’s main airport was launched from a server in Russia, officials told Reuters on Monday.

Malware similar to that which attacked three Ukrainian power firms in late December was detected last week in a computer in the IT network of Kiev’s main airport, Boryspil. The network includes the airport’s air traffic control.

Although there is no suggestion at this stage that Russia’s government was involved, the cyber attacks have come at a time of badly strained relations between Ukraine and Russia over a nearly two-year-long separatist conflict in eastern Ukraine.

“In connection with the case in Boryspil, the ministry intends to initiate a review of anti-virus databases in the companies which are under the responsibility of the ministry,” said Irina Kustovska, a spokeswoman for Ukraine’s infrastructure ministry, which oversees airports, railways and ports.

Ukraine’s state-run Computer Emergency Response Team (CERT-UA) issued a warning on Monday of the threat of more attacks.

“The control center of the server, where the attacks originate, is in Russia,” military spokesman Andriy Lysenko said by telephone, adding that the malware had been detected early in the airport’s system and no damage had been done.

A spokeswoman for the airport said Ukrainian authorities were investigating whether the malware was connected to a malicious software platform known as “BlackEnergy”, which has been linked to other recent cyber attacks on Ukraine. There are some signs that the attacks are linked, she said.

“Attention to all system administrators … We recommend a check of log-files and information traffic,” CERT-UA said in a statement.

In December three Ukrainian regional power firms experienced short-term blackouts as a result of malicious software in their networks. Experts have described the incident as the first known power outage caused by a cyber attack.

A U.S. cyber intelligence firm in January traced the attack back to a Moscow-backed group known as Sandworm.

The Dec. 23 outage at Western Ukraine’s Prykarpattyaoblenergo cut power to 80,000 customers for about six hours, according to a report from a U.S. energy industry security group.

Ukraine’s SBU state security service has blamed Russia, but the energy ministry said it would hold off on attribution until after it completes a formal probe.

(Editing by Matthias Williams and Gareth Jones)

JetBlue recovering from power outage that shut down website

NEW YORK (Reuters) – JetBlue Airways Corp said it has restored online booking and check-in after a power outage shut its main website for about two hours on Thursday, raising concern about delayed flights.

A maintenance operation disrupted power at a data center run by JetBlue’s business partner Verizon Communications Inc, the airline said in a statement, adding that this was not a “cyber security issue.”

Verizon has since restored power at the center, and JetBlue’s website is up for booking and check-in, the New York-based airline said in a blog post at 2:30 PM ET.

However, JetBlue said it was “still experiencing system issues” because of the outage.

JetBlue had 36 flight delays and four cancellations as of 3:00 p.m. EST, according to flight tracking website FlightAware.com.

The technical issue follows several high-profile computer problems that U.S. airlines experienced in 2015, including a router error at United Continental Holdings Inc and a malfunctioning iPad application used by pilots at American Airlines Group Inc.

Industry consultants say computer disruptions will have a growing impact on airlines, and their passengers, as they automate more operations, outfit their planes with Wi-Fi and distribute boarding passes on smartphones.

(Reporting By Jeffrey Dastin in New York; editing by Andrew Hay and Alden Bentley)

Hyatt says data breach started in August

(Reuters) – Hyatt Hotels Corp said a previously reported malware attack on its payment processing system occurred between August 13 and Dec. 8.

The hotel operator said on Thursday it identified unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at its restaurants.

The company also said the “at-risk window” for a limited number of locations began on or shortly after July 30.

Shares of Hyatt were down 3.1 percent in afternoon trading.

Hyatt also said it has arranged a third-party identity protection and fraud detection firm to provide one year of services to affected customers at no cost.

The company did not disclose the number of cards affected.

The company disclosed in December that its payment processing system was infected with information-stealing malware but did not mention how long its network was infected.

Hyatt, controlled by the billionaire Pritzker family, is the fourth major hotel operator to warn of a breach since October.

Hilton Worldwide Holdings Inc and Starwood Hotels & Resorts Worldwide Inc disclosed attacks on payment processing systems in November.

Donald Trump’s luxury hotel chain, Trump Hotel Collection, also confirmed the possibility of a data security incident.

(Reporting by Radhika Rukmangadhan in Bengaluru; Editing by Don Sebastian)

U.S. official sees more cyber attacks on industrial control systems

MIAMI (Reuters) – A U.S. government cyber security official warned that authorities have seen an increase in attacks that penetrate industrial control system networks over the past year, and said they are vulnerable because they are exposed to the Internet.

Industrial control systems are computers that control operations of industrial processes, from energy plants and steel mills to cookie factories and breweries.

“We see more and more that are gaining access to that control system layer,” said Marty Edwards, who runs the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.

ICS-CERT helps U.S. firms investigate suspected cyber attacks on industrial control systems as well as corporate networks.

Interest in critical infrastructure security has surged since late last month when Ukraine authorities blamed a power outage on a cyber attack from Russia, which would make it the first known power outage caused by a cyber attack.

Experts attending the S4 conference of some 300 critical infrastructure security specialists in Miami said the incident has caused U.S. firms to ask whether their systems are vulnerable to similar incidents.

Edwards said he believed the increase in attacks was mainly because more control systems are directly connected to the Internet.

“I am very dismayed at the accessibility of some of these networks… they are just hanging right off the tubes,” he said in an on-stage interview with conference organizer Dale Peterson.

Edwards did not say whether those attacks had caused any service disruptions or threatened public safety.

Sean McBride, a critical infrastructure analyst with iSight Partners who attended the talk, said the increase may reflect more publicity in recent years over risks over cyber attacks, which prompted operators to find more infections.

McBride said he could not say if the increase was troubling because he did not know the intent of the attackers.

Edwards and a DHS spokesman declined to elaborate on his comments.

ICS-CERT said in an alert this week that it had identified malware used in the attack in Ukraine as BlackEnergy 3, a variant of malware that the agency said in 2014 had infected some U.S. critical infrastructure operators.

A DHS official said on Tuesday that government investigators have not confirmed whether the BlackEnergy malware caused the Ukraine incident.

“At this time there is no definitive evidence linking the power outage in Ukraine with the presence of the malware,” said the official, who was not authorized to discuss the matter publicly.

Edwards did not discuss the Ukraine attack during his talk.

(Reporting by Jim Finkle in Miami; Editing by Leslie Adler)

Database of 191 Million U.S. Voters Exposed on Internet: Researcher

By Jim Finkle and Dustin Volz

(Reuters) – An independent computer security researcher uncovered a database of information on 191 million voters that is exposed on the open Internet due to an incorrectly configured database, he said on Monday.

The database includes names, addresses, birth dates, party affiliations, phone numbers and emails of voters in all 50 U.S. states and Washington, researcher Chris Vickery said in a phone interview.

Vickery, a tech support specialist from Austin, Texas, said he found the information while looking for information exposed on the Web in a bid to raise awareness of data leaks.

Vickery said he could not tell whether others had accessed the voter database, which took about a day to download.

While voter data is typically considered public information, it would be time-consuming and expensive to gather a database of all American voters. A trove of all U.S. voter data could be valuable to criminals looking for lists of large numbers of targets for a variety of fraud schemes.

“The alarming part is that the information is so concentrated,” Vickery said.

Vickery said he has not been able to identify who controls the database, but that he is working with U.S. federal authorities to find the owner so they can remove it from public view. He declined to identify the agencies.

A representative with the Federal Bureau of Investigation declined to comment.

A representative with the U.S. Federal Elections Commission, which regulates campaign financing, said the agency does not have jurisdiction over protecting voter records.

Regulations on protecting voter data vary from state to state, with many states imposing no restrictions. California, for example, requires that voter data be used for political purposes only and not be available to persons outside of the United States.

Privacy advocates said Vickery’s findings were troubling.

“Privacy regulations are required so a person’s political information can be kept private and safe,” said Jeff Chester, executive director of the Washington-based Center for Digital Democracy. The leak was first reported by CSO Online and Databreaches.net, computer and privacy news sites that Vickery said helped him attempt to locate the database’s owner.

CSO Online said the exposed information may have originally come from campaign software provider NationBuilder because the leak included data codes similar to those used by that firm.

In a statement, NationBuilder Chief Executive Officer Jim Gilliam said the database was not created by the Los Angeles-based company, but that some of its information may have come from data it freely supplies to political campaigns.

“From what we’ve seen, the voter information included is already publicly available from each state government, so no new or private information was released in this database,” Gilliam said.

(Reporting by Jim Finkle and Dustin Volz; Editing by Jonathan Oatis)

VTech Hires Cyber Security Firm After Hack, Lawmakers Want Answers

VTech hired a company to help it with cyber security after a hacker gained access to the toy maker’s customer database — and private information about millions of adults and children.

The Hong Kong-based company announced Thursday that a team from FireEye is helping it with the fallout from the massive data breach, one of the largest documented consumer hacks.

VTech said in a news release that the United States-based company is helping it beef up its security after a November cyber attack in which a hacker accessed the manufacturer’s Learning Lodge portal, which allows customers to download a variety of content to VTech’s digital toys.

The company has said the data included information like email addresses and passwords but not credit card or social security numbers. The hacker who claimed responsibility for the attack has told Motherboard he also accessed pictures of children and logs of private chats between kids and their parents. Those were originally sent through a VTech service called Kid Connect, which allowed smartphone-using parents to exchange messages with children using VTech tablets.

The hacker has told Motherboard he has no plans to release the data.

VTech said about 4.8 million parents and 6.3 million children were affected by the hack. About 2.2 million parent accounts and 2.9 million child profiles are based in the United States, it said.

The company has suspended Learning Lodge and Kid Connect and several other websites in a precautionary measure, it said. VTech adds that it has reviewed the websites and taken steps to safeguard against future attacks, and hiring FireEye appears to be another one of those actions.

“We are deeply shocked by this orchestrated and sophisticated attack on our network. We regret that users of Learning Lodge, Kid Connect and PlanetVTech, some of whom are colleagues, friends and families, are also affected,” VTech Chairman and Group CEO Allan Wong said in a statement that accompanied the announcement. “We would like to offer our sincere apologies for any worry caused by this incident. We are taking all necessary steps to ensure that our users can continue to enjoy our products and services, safe in the knowledge that their data is secure.”

VTech said FireEye’s team will lead a forensic investigation into the attack and help review its customer data security protocols. The toy maker also it is “cooperating with law enforcement worldwide to investigate the incident,” but did not mention any specific agency’s involvement.

On Wednesday, two United States lawmakers wrote VTech and inquired about the kind of information it collects from children and how the toy manufacturer safeguards that data.

Specifically, Sen. Edward Markey (D.-Mass.) and Congressman Joe Barton (R.-Texas) want to know how VTech complies with the Children’s Online Privacy Protection Act, which governs the data websites can collect from children less than 13 years old.

PC Magazine reported the VTech hack was the fourth largest breach of consumer data.

Children among 5 million affected by VTech hack

Hackers gained access to the private information of about 5 million adults and children who used VTech toys, and some security experts warn that similar data breaches could follow.

The Hong Kong-based digital toy manufacturer announced the massive data breach in a news release on Friday, saying a hacker compromised the company’s Learning Lodge earlier this month. The Learning Lodge is a portal that customers use to download content to VTech toys.

The hackers gained access to VTech’s customer database, which the company said includes information like email addresses and passwords but not social security or credit card numbers.

PC Magazine reported the hack was the fourth largest breach of consumer data on record.

The online technology magazine Motherboard reported on Monday that it spoke to the hacker behind the breach. The hacker claimed he also accessed photographs of children and transcripts of conversations between parents and their kids, some of which dated back to last November.

That data was reportedly sent through VTech’s Kid Connect service, a channel through which adults with smartphones and children with VTech tablets can exchange text and audio messages.

The hacker told Motherboard he didn’t intend to publish or release any of the data he obtained.

VTech said it investigated the breach and implemented steps to combat further attacks. Attorney generals from Connecticut and Illinois said they will also investigate, Reuters reported Monday.

The Reuters report quoted cyber security experts who cautioned that additional breaches like this one are possible. While many digital toys collect data, the experts told Reuters that toy makers don’t necessarily have the same security background as others in the tech industry.

“VTech is a toymaker and I don’t expect them to be security superstars,” Tod Beardsley, the security research manager at the cyber security company Rapid7 Inc., told Reuters. “They are amateurs in the field of security.”

Hong Kong’s Office of the Privacy Commissioner for Personal Data began a “compliance check” on VTech on Tuesday, according to a news release. The inquiry will examine if VTech did enough to safeguard the data before it was breached, as well as the corrective measures it implemented.