Tag Archives: Cyber Security

GE fixing bug in software after warning about power grid hacks

FILE PHOTO: The logo of a General Electric (GE) facility is seen behind tree branches in Medford, Massachusetts, U.S., April 20, 2017. REUTERS/Brian Snyder/File Photo

By Jim Finkle

(Reuters) – General Electric Co <GE.N> said on Wednesday it is fixing a bug in software used to control the flow of electricity in a utility’s power systems after researchers found that hackers could shut down parts of an electric grid.

The vulnerability could enable attackers to gain remote control of GE protection relays, enabling them to “disconnect sectors of the power grid at will,” according to an abstract posted late last week on the Black Hat security conference website.

Protection relays are circuit breakers that utilities program to open and halt power transmission when dangerous conditions surface.

Interest in grid security has intensified amid the increased use of cyber weapons by nation states, including two high-profile cyber attacks in Ukraine that authorities in Kiev have blamed on Russia.

Three New York University security experts are scheduled to discuss the issue at the Las Vegas Black Hat hacking conference in July. They could not be reached immediately for comment.

GE is not aware of any cases in which hackers exploited the bug to cause power outages, said GE spokeswoman Annette Busateri. The bug only involves older GE protection relays introduced in the 1990s “before current industry expectations for security,” she said.

“We have been in the process of issuing notifications and providing product upgrades to our affected customer base on available firmware updates to address this issue,” she said.

GE has issued patches for five of six models affected by the vulnerability and will soon release a patch for the sixth model, Busateri said.

Michael Assante, former chief security officer with the North American Electric Reliability Corp, which regulates the North American grid, said the product was still widely deployed because the industry runs systems for decades before upgrading to new technologies.

“This is certainly a significant issue,” he said.

Hackers caused power to go out in 2015 and 2016 attacks in Ukraine by using other techniques to force breakers to open, Assante said.

(Reporting by Jim Finkle in Toronto; Editing by Chizu Nomiyama and Jeffrey Benkoe)

Cyber extortion demands surge as victims keep paying: Symantec

A man walks past a display of hexadecimal code in a file photo. REUTERS/Nigel Treblin

By Alastair Sharp

TORONTO (Reuters) – Hackers are demanding increasingly hefty ransoms to free computers paralyzed with viruses, as cyber criminals seek to maximize profits from large numbers of victims willing to pay up, according to cyber security firm Symantec Corp.

The average demand embedded in such malicious software, which is known as ransomware, more than tripled last year to $1,077 from $294, and the pricing has continued to rise in 2017, according to Symantec.

“The bad guys haven’t found the top end of what people will pay,” Symantec Director of Security Response Kevin Haley said in a telephone interview.

Symantec said 69 percent of ransomware infections in 2016 hit consumer computers, with the remainder targeting businesses and other organizations.

More than a third of consumer ransomware victims around the globe pay cyber criminals to regain access to their data, according to Symantec. In the United States, where such attacks are most prevalent, 64 percent pay.

“If six out of ten people will pay your ransom when it’s three hundred bucks, you’re thinking ‘What if I raise it to four hundred? What if I raise to five hundred?'” Haley said.

The surge in cyber extortion has been fueled partly by the sale of ransomware kits, which sell for $10 to $1,800 on underground markets and make it easy for wannabe cyber crooks to get in the business, according to Symantec.

One kit, known as Shark, lets users name their demand, which its creators collect from victims and pass on to attackers, minus a 20 percent commission.

Ransomware attacks have increased sharply over the past year, with criminals targeting hospitals, police departments and other providers of critical services in the United States and Europe.

In some cases, the attacks have interrupted critical public services.

U.S. and European hospitals have been forced to divert patients to other facilities when ransomware paralyzed computer systems.

Local police have been forced to manually dispatch calls, and San Francisco’s public transit system was unable to collect fares for a weekend during the busy Christmas shopping season.

(Reporting by Alastair Sharp; Editing by Steve Orlofsky; Editing by Jim Finkle and Steve Orlofsky)

Cyber attack hits 1,200 InterContinental hotels in United States

The Logo of a Holiday Inn Hotel is pictured in Paris, France, August 8, 2016. REUTERS/Jacky Naegelen

By Alastair Sharp

TORONTO (Reuters) – Global hotel chain InterContinental Hotels Group Plc <IHG.L> said 1,200 of its franchised hotels in the United States, including Holiday Inn and Crowne Plaza, were victims of a three-month cyber attack that sought to steal customer payment card data.

The company declined to say how many payment cards were stolen in the attack, the latest in a hacking spree on prominent hospitality companies including Hyatt Hotels Corp <H.N>, Hilton, and Starwood Hotels, now owned by Marriott International Inc <MAR.O>.

The breach lasted from September 29 to December 29, InterContinental spokesman Neil Hirsch said on Wednesday. He declined to say if losses were covered by insurance or what financial impact the hacking might have on the hotels that were compromised, which also included Hotel Indigo, Candlewood Suites and Staybridge Suites properties.

The malware searched for track data stored on magnetic stripes, which includes name, card number, expiration date and internal verification code, the company said.

Hotel operators have become popular targets because they are easier to breach than other businesses that store credit card numbers as they have limited knowledge in defending themselves against hackers, said Itay Glick, chief executive of Israeli cyber-security company Votiro. “They don’t have massive data centers like banks which have very secure systems to protect themselves,” said Glick.

InterContinental declined to say how many franchised properties it has in the United States, which is part of its business unit in the Americas with 3,633 such properties.

In February, InterContinental said it had been victim of a cyber attack, but at that time said that only 12 of its 286 managed properties in the Americas were infected with malware.

Beijing cyber regulators to summon Apple over live streaming: Xinhua

FILE PHOTO: The Apple logo is pictured inside the newly opened Omotesando Apple store at a shopping district in Tokyo June 26, 2014. REUTERS/Yuya Shino/File Photo

BEIJING (Reuters) – Internet regulators in China’s capital plan to summon Apple Inc <APPL.O> to urge the American firm to tighten its checks on software applications available in its Apple Store, the official Xinhua News Agency reported on Wednesday.

The Beijing Cyberspace Administration, together with the Beijing Public Security Bureau and Beijing Cultural Market Administrative Law Enforcement Team, has already met representatives from Apple about the examination of live streaming apps from its app store, Xinhua said.

The U.S. tech firm is turning to selling more apps and services in China amid falling sales and rising competition from domestic smartphone makers.

Apple confirmed this year that it removed the New York Times Co’s <NYT.N> English- and Chinese-language news apps from its iTunes store in China following a request from authorities.

Apple in Beijing could not be reached for comment after normal business hours.

The Beijing Cyberspace Administration and the other two departments separately ordered three domestic live-streaming websites to rectify management loopholes, Xinhua said.

China’s fast-growing live-streaming market produced revenues of more than 30 billion yuan ($4.36 billion) last year, according to investment bank China Renaissance Securities, even as regulators have clamped down on sites that provide illegal content, including pornography.

(Reporting By Matthew Miller and Catherine Cadell; Editing by Robert Birsel)

Hackers release files indicating NSA monitored global bank transfers

FILE PHOTO: Swift code bank logo is displayed on an iPhone 6s among Euro banknotes in this picture illustration January 26, 2016. REUTERS/Dado Ruvic/File Photo - RTS11WHG

By Clare Baldwin

(Reuters) – Hackers released documents and files on Friday that cybersecurity experts said indicated the U.S. National Security Agency had accessed the SWIFT interbank messaging system, allowing it to monitor money flows among some Middle Eastern and Latin American banks.

The release included computer code that could be adapted by criminals to break into SWIFT servers and monitor messaging activity, said Shane Shook, a cyber security consultant who has helped banks investigate breaches of their SWIFT systems.

The documents and files were released by a group calling themselves The Shadow Brokers. Some of the records bear NSA seals, but Reuters could not confirm their authenticity.

The NSA could not immediately be reached for comment.

Also published were many programs for attacking various versions of the Windows operating system, at least some of which still work, researchers said.

In a statement to Reuters, Microsoft <MSFT.O>, maker of Windows, said it had not been warned by any part of the U.S. government that such files existed or had been stolen.

“Other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers,” the company said.

The absence of warning is significant because the NSA knew for months about the Shadow Brokers breach, officials previously told Reuters. Under a White House process established by former President Barack Obama’s staff, companies were usually warned about dangerous flaws.

Shook said criminal hackers could use the information released on Friday to hack into banks and steal money in operations mimicking a heist last year of $81 million from the Bangladesh central bank.

“The release of these capabilities could enable fraud like we saw at Bangladesh Bank,” Shook said.

The SWIFT messaging system is used by banks to transfer trillions of dollars each day. Belgium-based SWIFT downplayed the risk of attacks employing the code released by hackers on Friday.

SWIFT said it regularly releases security updates and instructs client banks on how to handle known threats.

“We mandate that all customers apply the security updates within specified times,” SWIFT said in a statement.

SWIFT said it had no evidence that the main SWIFT network had ever been accessed without authorization.

It was possible that the local messaging systems of some SWIFT client banks had been breached, SWIFT said in a statement, which did not specifically mention the NSA.

When cyberthieves robbed the Bangladesh Bank last year, they compromised that bank’s local SWIFT network to order money transfers from its account at the New York Federal Reserve.

The documents released by the Shadow Brokers on Friday indicate that the NSA may have accessed the SWIFT network through service bureaus. SWIFT service bureaus are companies that provide an access point to the SWIFT system for the network’s smaller clients and may send or receive messages regarding money transfers on their behalf.

“If you hack the service bureau, it means that you also have access to all of their clients, all of the banks,” said Matt Suiche, founder of the United Arab Emirates-based cybersecurity firm Comae Technologies, who has studied the Shadow Broker releases and believes the group has access to NSA files.

The documents posted by the Shadow Brokers include Excel files listing computers on a service bureau network, user names, passwords and other data, Suiche said.

“That’s information you can only get if you compromise the system,” he said.

ATTEMPT TO MONITOR FLOW OF MONEY

Cris Thomas, a prominent security researcher with the cybersecurity firm Tenable, said the documents and files released by the Shadow Brokers show “the NSA has been able to compromise SWIFT banking systems, presumably as a way to monitor, if not disrupt, financial transactions to terrorists groups”.

Since the early 1990s, interrupting the flow of money from Saudi Arabia, the United Arab Emirates and elsewhere to al Qaeda, the Taliban, and other militant Islamic groups in Afghanistan, Pakistan and other countries has been a major objective of U.S. and allied intelligence agencies.

Mustafa Al-Bassam, a computer science researcher at University College London, said on Twitter that the Shadow Brokers documents show that the “NSA hacked a bunch of banks, oil and investment companies in Palestine, UAE, Kuwait, Qatar, Yemen, more.”

He added that NSA “completely hacked” EastNets, one of two SWIFT service bureaus named in the documents that were released by the Shadow Brokers.

Reuters could not independently confirm that EastNets had been hacked.

EastNets, based in Dubai, denied it had been hacked in a statement, calling the assertion “totally false and unfounded.”

EastNets ran a “complete check of its servers and found no hacker compromise or any vulnerabilities,” according to a statement from EastNets’ chief executive and founder, Hazem Mulhim.

In 2013, documents released by former NSA contractor Edward Snowden said the NSA had been able to monitor SWIFT messages.

The agency monitored the system to spot payments intended to finance crimes, according to the documents released by Snowden.

Reuters could not confirm whether the documents released Friday by the Shadow Brokers, if authentic, were related to NSA monitoring of SWIFT transfers since 2013.

Some of the documents released by the Shadow Brokers were dated 2013, but others were not dated.

The documents released by the hackers did not clearly indicate whether the NSA had actually used all the techniques cited for monitoring SWIFT messages.

(Additional reporting by Tom Bergin in London; Dustin Volz and John Walcott in Washington; Joseph Menn in San Franciso; and Jim Finkle in Buffalo, New York.; Editing by Brian Thevenot and Cynthia Osterman)

China draft cyber law mandates security assessment for outbound data

BEIJING (Reuters) – China’s top cyber authority on Tuesday released a draft law that would require firms exporting data to undergo an annual security assessment, in the latest of several recent safeguards against threats such as hacking and terrorism.

Any business transferring data of over 1000 gigabytes or affecting over 500,000 users will be assessed on its security measures and on the potential of the data to harm national interests, showed the draft from the Cyberspace Administration of China (CAC).

The law would ban the export of any economic, technological or scientific data whose transfer would pose a threat to security or public interests. It would also require firms to obtain the consent of users before transmitting data abroad.

The proposed law, which focuses on personal information security, comes just a day after state media reported government rewards of $1,500 to $73,000 for citizens who report suspected spies.

It is also an extension of legislation passed in November formalizing a range of controls over firms that handle data in industries the government deems critical to national interests.

Business groups have criticized the November law, which is effective from June, calling rules “vague” and claiming they unfairly target foreign companies with stringent requirements.

Chinese officials denied that the November law targets foreign firms.

Under the rules released on Tuesday, sensitive geographic data such as information on marine environments would also be subject to scrutiny. Destination countries and the likelihood of oversees tampering would also be factored in to any assessments.

The draft is open for public comment until May 11.

(Reporting by Cate Cadell; Editing by Christopher Cushing)

U.S. trade group hacked with Chinese software ahead of Xi summit

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017.REUTERS/Kacper Pempel/Illustration/File Photo

By Joseph Menn

SAN FRANCISCO (Reuters) – A sophisticated hacking group that pursues Chinese government interests broke into the website of a private U.S. trade group ahead of Thursday’s summit between U.S. President Donald Trump and Chinese President Xi Jinping, according to researchers.

The hackers left a malicious link on web pages where members of the National Foreign Trade Council (NFTC) register for upcoming meetings, according to researchers at Fidelis Cybersecurity and a person familiar with the trade group.

The nonprofit NFTC is a prominent advocate on international trade policy, with corporate members including Wal-Mart Stores Inc <WMT.N>, Johnson & Johnson <JNJ.N>, Amazon.com Inc <AMZN.O>, Ford Motor Co <F.N> and Microsoft Corp <MSFT.O>.

The malicious link deployed a spying tool called Scanbox, which would have recorded the type and versions of software running on the computers of those exposed to it, said Fidelis researcher John Bambenek. Such reconnaissance is typically followed by new attacks using known flaws in the detected software, especially older versions.

Scanbox has only been used by groups associated with the Chinese government, Fidelis said, and was recently seen on a political site aimed at Uyghurs, an ethnic minority under close government scrutiny in China.

The breach was detected about five weeks ago by a NFTC director who is a customer of Fidelis, the security company said. Both the Federal Bureau of Investigation and the NFTC were notified and the malicious link removed, and Fidelis said it had no evidence of NFTC members being infected.

The FBI and the NFTC declined to comment. A spokesman for the Chinese foreign ministry did not respond to a request for comment.

Bambenek said he believed the attack was classic espionage related to international trade talks, rather than a violation of a 2015 agreement between former U.S. President Barack Obama and Xi to end spying for commercial motives.

The summit starting on Thursday is the first meeting between Xi and Trump, who blamed China on the campaign trail for the loss of many U.S. jobs and vowed to confront the country’s leaders on the matters of trade and currency manipulation.

“I think it’s traditional espionage that happens ahead of any summit,” said Bambenek. “They would like to know what we, the Americans, really care about and use that for leverage.”

Other security firms agreed that wholesale theft of U.S. intellectual property has not returned.

Instead, FireEye Inc <FEYE.O> and BAE Systems Plc <BAES.L> said that the hacking group identified by Fidelis, called APT10, has recently attacked government and commercial targets in Europe.

FireEye researcher John Hultquist said heavy industries in Nordic countries have been hacked more often as Beijing switches priorities.

“They are certainly taking those resources and pushing them to other places where they can still get away with this behavior,” Hultquist said.

(Reporting by Joseph Menn in San Francisco; Addtional reporting by Dustin Volz in Washington; Editing by Bill Rigby)

German military can use ‘offensive measures’ against cyber attacks: minister

German Defence Minister Ursula von der Leyen in Berlin, Germany, March 22, 2017. REUTERS/Fabrizio Bensch

BERLIN (Reuters) – The German military has the authority to respond with “offensive measures” if its computer networks are attacked, German Defence Minister Ursula von der Leyen said on Wednesday, amid growing concerns among German lawmakers about control of such actions.

Von der Leyen, speaking at the opening ceremony for Germany’s new cyber command in Bonn, gave no details of what kind of retaliation she had in mind.

“If the German military’s networks are attacked, then we can defend ourselves. As soon as an attack endangers the functional and operational readiness of combat forces, we can respond with offensive measures,” she said.

She added that the German military could be called in to help in the event of cyber attacks on other governmental institutions. During foreign missions, its actions would be governed and bounded by the underlying parliamentary mandate.

Any legal questions would be addressed by the military in close cooperation with other government agencies, she added.

The new Bonn-based command has an initial staff of 260 that will grow to around 13,500 in July.

Von der Leyen’s decision to sanction offensive cyber actions in principle has caused some concerns among German lawmakers, including Agnieszka Brugger, a member of the pro-environment Greens and member of the defense committee.

Military ombudsman Hans-Peter Bartels, who fields complaints from soldiers for parliament, told the Neue Osnabrueckner Zeitung newspaper on Wednesday that every offensive measure required explicit approval by the parliament since Germany’s military is a so-called “parliamentary army”.

German officials told reporters earlier this week that the government was scrambling to respond to serious and growing cyber threats, but civilian officials said they lacked the legal framework to retaliate with cyber attacks of their own.

However, von der Leyen made clear on Wednesday that she was convinced the authorities were clear in the military realm.

Deputy Defence Minister Katrin Suder told reporters on Monday that existing laws applied, even in cyberspace.

Von der Leyen said Berlin was increasing expenditure to keep up with technical innovations.

Germany’s current military budget included 1.6 billion euros for information technology-related items, ranging from new radios and hardware to service contracts, and spending was slated to increase significantly in 2018, she said.

The military also spent around 1 billion euros a year on personnel.

(Reporting by Andrea Shalal; Editing by Stephen Powell)

UK and Swedish watchdogs warn of international cyber attack

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

STOCKHOLM (Reuters) – A large-scale cyber attack from a group targeting organizations in Japan, the United States, Sweden and many other European countries through IT services providers has been uncovered, the Swedish computer security watchdog said on Wednesday.

The cyber attack, uncovered through a collaboration by Britain’s National Cyber Security Centre, PwC and cyber security firm BAE Systems, targeted managed service providers to gain access to their customers’ internal networks since at least May 2016 and potentially as early as 2014.

The exact scale of the attack, named Cloud Hopper from an organization called APT10, is not known but is believed to involve huge amounts of data, Sweden’s Civil Contingencies Agency said in a statement. The agency did not say whether the cyber attacks were still happening.

“The high level of digitalization in Sweden, along with the amount of services outsourced to managed service providers, means that there is great risk that several Swedish organizations are affected by the attacks,” the watchdog said.

The agency said those behind the attacks had used significant resources to identify their targets and sent sophisticated phishing e-mails to infect computers.

It also said Swedish IP addresses had been used to coordinate the incursions and retrieve stolen data and that APT10 specifically targeted IT, communications, healthcare, energy and research sectors.

(Reporting by Johan Ahlander; Editing by Niklas Pollard and Stephen Powell)

McDonald’s Canada says 95,000 affected in careers website hack

A Canadian flag waves beside McDonalds fast food restaurant in Toronto, May 1, 2014. REUTERS/Mark Blinch

(Reuters) – McDonald’s Corp’s <MCD.N> Canadian unit said on Friday personal information of about 95,000 restaurant job applicants was compromised in a cyber attack on its careers website.

The information included names, addresses, email addresses, phone numbers and employment backgrounds of candidates who applied online for jobs at McDonald’s Canada restaurants between March 2014 and March 2017.

The careers website was shut down after McDonald’s learned of the attack, and will remain closed until an ongoing investigation is complete, the unit said.

The company said it currently had no evidence that the information taken had been misused.

McDonald’s Canada said its job application forms do not ask for sensitive personal information such as social insurance numbers, banking or health information.

McDonald’s said earlier this month its official Twitter handle was compromised after a tweet sent from the account slammed U.S. President Donald Trump.

(Reporting by Vishaka George and Anya George Tharakan in Bengaluru; Editing by Sai Sachin Ravikumar)