Tag Archives: Cyber Security

SAP pushes to patch risky HANA security flaws before hackers strike

SAP logo at SAP headquarters in Walldorf, Germany, January 24, 2017. REUTERS/Ralph Orlowski

By Eric Auchard

FRANKFURT (Reuters) – Europe’s top software maker SAP said on Tuesday it had patched vulnerabilities in its latest HANA software that had a potentially high risk of giving hackers control over databases and business applications used to run big multinational firms. While hacks on phones, websites and computers that consumers rely on every day grab headlines, vulnerabilities in big business software are more lucrative to attackers as these tools store data and run transactions which are the lifeblood of businesses. The latest security weaknesses, known in industry parlance as “zero day” vulnerabilities, rank among the most critical ever found in HANA, the engine that runs SAP’s latest database, cloud and other more traditional business apps, according to Onapsis, the security company which uncovered these issues.

SAP software acts as the corporate plumbing for many multinationals and the company claims 87 percent of the top 2,000 global companies as customers.

Onapsis said vulnerabilities lay in a HANA component known as “User Self Service” (USS) which would allow malicious insiders or remote attackers to fully compromise vulnerable systems, without so much as valid usernames and passwords.

It reported 10 HANA vulnerabilities to SAP less than 60 days ago, which the German software maker fixed in near-record time, according to interviews with executives of both companies.

The resulting patch issued by SAP on Tuesday was rated by it as 9.8 on a scale of 10, “very high” in terms of relative risk to its customers. SAP is releasing five HANA patches this week to fix a range of vulnerabilities uncovered in recent months.

“SAP has done a great job by releasing fixes much faster than in past situations,” Onapsis Chief Executive Mariano Nunez told Reuters in an interview.

Customers must in turn choose when to apply such patches to software that runs their most critical corporate functions, a process that may take months or years, in rare cases. They must balance security risks against operational demands.

SAP executives urged security managers working for its customers to patch relevant systems.

“There has not been one case where a customer who applied the recommended patches has been affected,” Siddhartha Rao, vice president of SAP Product Security Response, said of the six years he has been on the job. “We currently expect there will not be that many customers affected by these issues,” he said.

Last May, however, the U.S. Department of Homeland Security issued an alert advising SAP customers they needed to urgently plug holes for which SAP already had offered patches in 2010, but which some customers failed to adopt, leaving dozens exposed to hacker break-ins afterward. (http://reut.rs/2mkTVgI)

Three dozen enterprises were found to have telltale signs of unauthorized access due to outdated or misconfigured SAP NetWeaver Java systems, Onapsis said at the time.

Onapsis helps secure more than 200 SAP customers ranging from Schlumberger to Sony Corp, Westinghouse and the U.S. Army. It also identifies security vulnerabilities for corporate customers in rival systems from Oracle.

Giving HANA customers breathing room, the USS component first offered by SAP in October 2014 is not activated by default, but must be specially enabled, Onapsis said.

It has identified two companies – an energy company and a retailer – where vulnerabilities were found and fixed. Companies which are not using USS features are unaffected, Onapsis said.

Technical details can be found on the security blogs of SAP (https://goo.gl/11Dz5w) and Onapsis (https://goo.gl/Xiryyp). There is no evidence hackers have taken advantage so far, the companies said.

Last year, the company issued more than 160 patches in all, SAP said. Ten percent of these were HANA related, Onapsis added.

(Reporting by Eric Auchard; Editing by Stephen Coates)

UK terrorism reinsurance fund hopes to include cyber: CEO

LONDON (Reuters) – Britain’s 6 billion pounds ($7.3 billion) terrorism reinsurance fund hopes to extend its cover to include cyber attacks on property, chief executive Julian Enoizi said.

Pool Re, set up in 1993, acts as a backstop to insurers paying out claims on property damage and business interruption.

It is financed by the insurance industry with government backing, and pay outs depend on the British government deeming an attack to be terror-related, Enoizi said.

In 2002, Pool Re extended its cover to include chemical and biological attacks after the 9/11 attacks in the United States.

There have been several cyber attacks on property in recent years. In 2014, a German steel mill suffered damage to the plant’s network from a cyber attack.

Enoizi told Reuters that this and other incidents had been ruled out as terror attacks, but Pool Re needed to be prepared.

“Insurance is there for the unimaginable – we’re here to insure the unforeseen,” he said.

The fund has held discussions with the government and industry, and it hopes to add cyber to its coverage in the next few months, he added.

Enoizi said any increase in the premium costs to businesses for adding this cover would be accompanied by discounts for implementing government-approved cyber security policies.

The U.S. cyber insurance market is likely to have totalled about $3.25 billion in premiums in 2016, according to market survey The Betterley Report. The European market is seen as one-tenth of that, but demand has been increasing, insurers say.

Demand is expected to spike after EU legislation on data privacy is implemented by mid-2018. This will require companies to notify authorities of data breaches likely to harm individuals, similar to U.S. arrangements.

But most cyber policies relate to data loss, rather than attacks on property.

“We see this as a gap in the cover,” Enoizi said.

Cyber attacks on property worry businesses and insurers. These include an attack at some apartment buildings in Finland last year which knocked out the heating system when it was below freezing outside. This attack was not deemed an act of terror.

Insurers have said the source of a cyber attack is hard to prove, and most policies pay out regardless of the cause.

Pool Re’s cover would be limited to terror-related cyber attacks, once the British government assessed it to be an act of terrorism, Enoizi said.

(Reporting by Carolyn Cohn; Editing by Edmund Blair)

WikiLeaks offers CIA hacking tools to tech companies: Assange

WikiLeaks founder Julian Assange makes a speech from the balcony of the Ecuadorian Embassy, in central London, Britain February 5, 2016. REUTERS/Peter Nicholls/Files

By Dustin Volz and Eric Auchard

WASHINGTON/FRANKFURT (Reuters) – WikiLeaks will provide technology companies with exclusive access to CIA hacking tools that it possesses, to allow them to patch software flaws, founder Julian Assange said on Thursday.

The offer, if legitimate, could put Silicon Valley in the unusual position of deciding whether to cooperate with Assange, a man believed by some U.S. officials and lawmakers to be an untrustworthy pawn of Russian President Vladimir Putin, or a secretive U.S. spy agency.

It was not clear how WikiLeaks intended to cooperate with technology companies, or if they would accept his offer. The anti-secrecy group published documents on Tuesday describing secret Central Intelligence Agency hacking tools and snippets of computer code. It did not publish the full programs that would be needed to actually conduct cyber exploits against phones, computers and Internet-connected televisions.

Representatives of Alphabet Inc’s Google Apple Inc, Microsoft Corp <MSFT.O> and Cisco Systems Inc <CSCO.O>, all of whose wares are subject to attacks described in the documents, did not immediately respond to requests for comment before regular business hours on the U.S. West Coast.

“Considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them some exclusive access to the additional technical details that we have so that the fixes can be developed and pushed out, so people can be secure,” Assange said during a press conference broadcast via Facebook Live.

Responding to Assange’s comments, CIA spokesman Jonathan Liu, said in a statement, “As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity.”

“Despite the efforts of Assange and his ilk, CIA continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries.”

The disclosures alarmed the technology world and among consumers concerned about the potential privacy implications of the cyber espionage tactics that were described.

One file described a program known as Weeping Angel that purportedly could take over a Samsung smart television, making it appear it was off when in fact it was recording conversations in the room.

Other documents described ways to hack into Apple Inc <AAPL.O> iPhones, devices running Google’s <GOOGL.O> Android software and other gadgets in a way that could observe communications before they are protected by end-to-end encryption offered by messaging apps like Signal or WhatsApp.

Several companies have already said they are confident that their recent security updates have already accounted for the purported flaws described in the CIA documents. Apple said in a statement on Tuesday that “many of the issues” leaked had already been patched in the latest version of its operating system.

WikiLeaks’ publication of the documents reignited a debate about whether U.S. intelligence agencies should hoard serious cyber security vulnerabilities rather than share them with the public. An interagency process created under former President Barack Obama called for erring on the side of disclosure.

President Donald Trump believed changes were needed to safeguard secrets at the CIA, White House spokesman Sean Spicer told a news briefing on Thursday. “He believes that the systems at the CIA are outdated and need to be updated.”

Two U.S. intelligence and law enforcement officials told Reuters on Wednesday that intelligence agencies have been aware since the end of last year of a breach at the CIA, which led to WikiLeaks releasing thousands of pages of information on its website.

The officials, speaking on condition of anonymity, said contractors likely breached security and handed over the documents to WikiLeaks. The CIA has declined to comment on the authenticity of the documents leaked, but the officials said they believed the pages about hacking techniques used between 2013 and 2016 were authentic.

Contractors have been revealed as the source of sensitive government information leaks in recent years, most notably Edward Snowden and Harold Thomas Martin, both employed by consulting firm Booz Allen Hamilton <BAH.N> while working for the National Security Agency.

Assange said he possessed “a lot more information” about the CIA’s cyber arsenal that would be released soon. He criticized the CIA for “devastating incompetence” for not being able to control access to such sensitive material.

Nigel Farage, the former leader of the populist UK Independence Party, visited Assange at the Ecuadorean embassy in London earlier on Thursday. A representative for Farage said he was unaware what was discussed.

Assange has been holed up since 2012 at the embassy, where he fled to avoid extradition to Sweden over allegations of rape, which he denies.

(Reporting by Dustin Volz; Additional reporting by Eric Auchard in Frankfurt, Joseph Menn in San Francisco and Guy Falconbridge in London; Editing by Frances Kerry and Grant McCool)

CIA contractors likely source of latest WikiLeaks release: U.S. officials

The lobby of the CIA Headquarters Building in Langley, Virginia, U.S. on August 14, 2008. REUTERS/Larry Downing/File Photo

By John Walcott and Mark Hosenball

WASHINGTON (Reuters) – Contractors likely breached security and handed over documents describing the Central Intelligence Agency’s use of hacking tools to anti-secrecy group WikiLeaks, U.S. intelligence and law enforcement officials told Reuters on Wednesday.

Two officials speaking on condition of anonymity said intelligence agencies have been aware since the end of last year of the breach, which led to WikiLeaks releasing thousands of pages of information on its website on Tuesday.

According to the documents, CIA hackers could get into Apple Inc <AAPL.O> iPhones, devices running Google’s Android software and other gadgets in order to capture text and voice messages before they were encrypted with sophisticated software.

The White House said on Wednesday that President Donald Trump was “extremely concerned” about the CIA security breach that led to the WikiLeaks release.

“Anybody who leaks classified information will be held to the highest degree of law,” spokesman Sean Spicer said.

The two officials told Reuters they believed the published documents about CIA hacking techniques used between 2013 and 2016 were authentic.

One of the officials with knowledge of the investigation said companies that are contractors for the CIA have been checking to see which of their employees had access to the material that WikiLeaks published, and then going over their computer logs, emails and other communications for any evidence of who might be responsible.

On Tuesday in a press release, WikiLeaks itself said the CIA had “lost control” of an archive of hacking methods and it appeared to have been circulated “among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

The CIA, which is the United States’ civilian foreign intelligence service, declined to comment on the authenticity of purported intelligence documents.

The agency said in a statement that its mission was to collect foreign intelligence abroad “to protect America from terrorists, hostile nation states and other adversaries” and to be “innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad.”

The CIA is legally prohibited from surveillance inside the United States and “does not do so”, the statement added.

CONTRACTORS MUST BE ‘LOYAL TO AMERICA’

A U.S. government source familiar with the matter said it would be normal for the Federal Bureau of Investigation and the CIA both to open investigations into such leaks. U.S. officials previously have confirmed that prosecutors in Alexandria, Virginia for years have been conducting a federal grand jury investigation of WikiLeaks and its personnel.

A spokesman for the prosecutors declined to comment on the possibility of that probe being expanded. It is not clear if the investigation of the latest CIA leaks is part of the probe.

Contractors have been revealed as the source of sensitive government information leaks in recent years, most notably Edward Snowden and Harold Thomas Martin, both employed by consulting firm Booz Allen Hamilton <BAH.N> while working for the National Security Agency.

U.S. Senator Dianne Feinstein of California and a Democrat on the intelligence committee, said the government needed to stop the breaches.

“I think we really need to take a look at the contractor portion of the employee workforce, because you have to be loyal to America to work for an intelligence agency, otherwise don’t do it,” Feinstein said.

Both U.S. Senate and U.S. House of Representatives intelligence committees have either opened or are expected to open inquiries into the CIA breach, congressional officials said.

Some cyber security experts and technology companies have criticized the government for opting to exploit rather than disclose software vulnerabilities, though an interagency review process set up under former President Barack Obama was intended to err on the side of disclosure.

Those concerns would grow if U.S. authorities did not notify companies that CIA documents describing various hacking techniques had been compromised.

Apple, Alphabet Inc’s <GOOGL.O> Google, Cisco Systems Inc <CSCO.O> and Oracle Corp <ORCL.N> did not immediately respond when asked if they were notified of a CIA breach before WikiLeaks made its files public.

At Apple, none of the vulnerabilities described in the documents provoked a panic, though analysis was continuing, according to a person who spoke with engineers there.

Google’s director of information security and privacy, Heather Adkins, said in a statement: “As we’ve reviewed the documents, we’re confident that security updates and protections in both Chrome and Android (operating systems) already shield users from many of these alleged vulnerabilities. Our analysis is ongoing and we will implement any further necessary protections.”

LARGER NUMBER OF CONTRACTORS

One reason the investigation is focused on a potential leak by contractors rather than for example a hack by Russian intelligence, another official said, is that so far there is no evidence that Russian intelligence agencies tried to exploit any of the leaked material before it was published.

One European official, speaking on condition of anonymity, said the WikiLeaks material could in fact lead to closer cooperation between European intelligence agencies and U.S. counterparts, which share concerns about Russian intelligence operations.

U.S. intelligence agencies have accused Russia of seeking to tilt last year’s U.S. presidential election in Trump’s favor, including by hacking into Democratic Party emails. Moscow has denied the allegation.

One major security problem was that the number of contractors with access to information with the highest secrecy classification has “exploded” because of federal budget constraints, the first U.S. official said.

U.S. intelligence agencies have been unable to hire additional permanent staff needed to keep pace with technological advances such as the “internet of things” that connects cars, home security and heating systems and other devices to computer networks, or to pay salaries competitive with the private sector, the official said.

Reuters could not immediately verify the contents of the published documents.

A person familiar with WikiLeaks’ activities said the group has had the CIA hacking material for months, and that the release of the material was in the works “for a long time.”

In Germany on Wednesday, the chief federal prosecutor’s office said that it would review the WikiLeaks documents because some suggested that the CIA ran a hacking hub from the U.S. consulate in Frankfurt.

“We will initiate an investigation if we see evidence of concrete criminal acts or specific perpetrators,” a spokesman for the federal prosecutor’s office told Reuters.

Chancellor Angela Merkel is scheduled to visit Washington on March 14 for her first meeting with Trump, who has sharply criticized Berlin for everything from its trade policy to what he considers inadequate levels of military spending.

(Reporting by John Walcott, Mark Hosenball, Dustin Volz, Yara Bayoumy in Washington and Matthias Sobolewski and Andrea Shalal in Berlin; Additional reporting by Joseph Menn in San Francisco; Writing by Grant McCool; Editing by Peter Graff and Bill Rigby)

WikiLeaks says it releases files on CIA cyber spying tools

FILE PHOTO: People are silhouetted as they pose with laptops in front of a screen projected with binary code and a Central Inteligence Agency (CIA) emblem, in this picture illustration taken in Zenica, Bosnia and Herzegovina October 29, 2014. REUTERS/Dado Ruvic/File Photo/Illustration

By Dustin Volz and Warren Strobel

WASHINGTON (Reuters) – Anti-secrecy group WikiLeaks on Tuesday published what it said were thousands of pages of internal CIA discussions about hacking techniques used over several years, renewing concerns about the security of consumer electronics and embarrassing yet another U.S. intelligence agency.

The discussion transcripts showed that CIA hackers could get into Apple Inc iPhones, Google Inc Android devices and other gadgets in order to capture text and voice messages before they were encrypted with sophisticated software.

Cyber security experts disagreed about the extent of the fallout from the data dump, but said a lot would depend on whether WikiLeaks followed through on a threat to publish the actual hacking tools that could do damage.

Reuters could not immediately verify the contents of the published documents, but several contractors and private cyber security experts said the materials, dated between 2013 and 2016, appeared to be legitimate.

A longtime intelligence contractor with expertise in U.S. hacking tools told Reuters the documents included correct “cover” terms describing active cyber programs.

Among the most noteworthy WikiLeaks claims is that the Central Intelligence Agency, in partnership with other U.S. and foreign agencies, has been able to bypass the encryption on popular messaging apps such as WhatsApp, Telegram and Signal.

The files did not indicate the actual encryption of Signal or other secure messaging apps had been compromised.

The information in what WikiLeaks said were 7,818 web pages with 943 attachments appears to represent the latest breach in recent years of classified material from U.S. intelligence agencies.

Security experts differed over how much the disclosures could damage U.S. cyber espionage. Many said that, while harmful, they do not compare to former National Security Agency contractor Edward Snowden’s revelations in 2013 of mass NSA data collection.

“This is a big dump about extremely sophisticated tools that can be used to target individual user devices … I haven’t yet come across the mass exploiting of mobile devices,” said Tarah Wheeler, senior director of engineering and principal security advocate for Symantec.

Stuart McClure, CEO of Cylance, an Irvine, California, cyber security firm, said that one of the most significant disclosures shows how CIA hackers cover their tracks by leaving electronic trails suggesting they are from Russia, China and Iran rather than the United States.

Other revelations show how the CIA took advantage of vulnerabilities that are known, if not widely publicized.

In one case, the documents say, U.S. and British personnel, under a program known as Weeping Angel, developed ways to take over a Samsung smart television, making it appear it was off when in fact it was recording conversations in the room.

The CIA and White House declined comment. “We do not comment on the authenticity or content of purported intelligence documents,” CIA spokesman Jonathan Liu said in a statement.

Google declined to comment on the purported hacking of its Android platform, but said it was investigating the matter.

Snowden on Twitter said the files amount to the first public evidence that the U.S. government secretly buys software to exploit technology, referring to a table published by WikiLeaks that appeared to list various Apple iOS flaws purchased by the CIA and other intelligence agencies.

Apple Inc did not respond to a request for comment.

The documents refer to means for accessing phones directly in order to catch messages before they are protected by end-to-end encryption tools like Signal.

Signal inventor Moxie Marlinspike said he took that as “confirmation that what we’re doing is working.” Signal and the like are “pushing intelligence agencies from a world of undetectable mass surveillance to a world where they have to use expensive, high-risk, extremely targeted attacks.”

CIA CYBER PROGRAMS

The CIA in recent years underwent a restructuring to focus more on cyber warfare to keep pace with the increasing digital sophistication of foreign adversaries. The spy agency is prohibited by law from collecting intelligence that details domestic activities of Americans and is generally restricted in how it may gather any U.S. data for counterintelligence purposes.

The documents published Tuesday appeared to supply specific details to what has been long-known in the abstract: U.S. intelligence agencies, like their allies and adversaries, are constantly working to discover and exploit flaws in any manner of technology products.

Unlike the Snowden leaks, which revealed the NSA was secretly collecting details of telephone calls by ordinary Americans, the new WikiLeaks material did not appear to contain material that would fundamentally change what is publicly known about cyber espionage.

WikiLeaks, led by Julian Assange, said its publication of the documents on the hacking tools was the first in a series of releases drawing from a data set that includes several hundred million lines of code and includes the CIA’s “entire hacking capacity.”

The documents only include snippets of computer code, not the full programs that would be needed to conduct cyber exploits.

WikiLeaks said it was refraining from disclosing usable code from CIA’s cyber arsenal “until a consensus emerges on the technical and political nature of the C.I.A.’s program and how such ‘weapons’ should be analyzed, disarmed and published.”

U.S. intelligence agencies have said that Wikileaks has ties to Russia’s security services. During the 2016 U.S. presidential campaign, Wikileaks published internal emails of top Democratic Party officials, which the agencies said were hacked by Moscow as part of a coordinated influence campaign to help Republican Donald Trump win the presidency.

WikiLeaks has denied ties to Russian spy agencies.

Trump praised WikiLeaks during the campaign, often citing hacked emails it published to bolster his attacks on Democratic Party candidate Hillary Clinton.

WikiLeaks said on Tuesday that the documents showed that the CIA hoarded serious security vulnerabilities rather than share them with the public, as called for under a process established by President Barack Obama.

Rob Knake, a former official who dealt with the issue under Obama, said he had not seen evidence in what was published to support that conclusion.

The process “is not a policy of unilateral disarmament in cyberspace. The mere fact that the CIA may have exploited zero-day [previously undisclosed] vulnerabilities should not surprise anyone,” said Knake, now at the Council on Foreign Relations.

U.S. officials, speaking on condition of anonymity, said they did not know where WikiLeaks might have obtained the material.

In a press release, the group said, “The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

U.S. intelligence agencies have suffered a series of security breaches, including Snowden’s.

In 2010, U.S. military intelligence analyst Chelsea Manning provided more than 700,000 documents, videos, diplomatic cables and battlefield accounts to Wikileaks.

Last month, former NSA contractor Harold Thomas Martin was indicted on charges of taking highly sensitive government materials over a course of 20 years, storing the secrets in his home.

(Reporting by Dustin Volz and Warren Strobel; additional reporting by Joseph Menn, Mark Hosenball, Jonathan Landay and Jim Finkle; Editing by Grant McCool)

Consumer Reports to consider cyber security in product reviews

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris April 15, 2014. REUTERS/Mal Langsdon

(Reuters) – Consumer Reports, an influential U.S. non-profit group that conducts extensive reviews of cars, kitchen appliances and other goods, is gearing up to start considering cyber security and privacy safeguards when scoring products.

The group, which issues scores that rank products it reviews, said on Monday it had collaborated with several outside organizations to develop methodologies for studying how easily a product can be hacked and how well customer data is secured.

Consumer Reports will gradually implement the new methodologies, starting with test projects that evaluate small numbers of products, Maria Rerecich, the organization’s director of electronics testing, said in a phone interview.

“This is a complicated area. There is going to be a lot of refinement to get this right,” Rerecich said.

The effort follows a surge in cyber attacks leveraging easy-to-exploit vulnerabilities in webcams, routers, digital video recorders and other connected devices, which are sometimes collectively referred to as the internet of things.

“Personal cyber security and privacy is a big deal for everyone. This is urgently needed,” said Craig Newmark, the founder of Craigslist who sits on the board of directors at Consumer Reports.

In one high-profile October attack, hackers used a piece of software known as Mirai to cripple an internet infrastructure provider, blocking access to PayPal, Spotify, Twitter and dozens of other websites for hours. Another attack in November shut off internet access to some 900,000 Deutsche Telekom customers.

Security researchers have said the attacks are likely to continue because there is little incentive for manufacturers to spend on securing connected devices.

“We need to shed light that this industry really hasn’t been caring about the build quality and software safety,” said Peiter Zatko, a well-known hacker who is director of Cyber Independent Testing Lab, one of the groups that helped Consumer Reports establish the standards.

The first draft of the standards is available online at https://thedigitalstandard.org.

Issues covered in the draft include reviewing whether software is built using best security practices, studying how much information is collected about a consumer and checking whether companies delete all user data when an account is terminated.

Jeff Joseph, senior vice president for the Consumer Technology Association, called the decision by Consumer Reports a “positive step” but cautioned that the group “must be very clear about how they score products and the limitations of what consumers can expect.”

(Reporting by Jim Finkle in Boston; Editing by Peter Cooney and Lisa Shumaker)

Yahoo says about 32 million accounts accessed using ‘forged cookies’

A photo illustration shows a Yahoo logo on a smartphone in front of a displayed cyber code and keyboard on December 15, 2016. REUTERS/Dado Ruvic/File Illustration - RTX2VKYK

(Reuters) – Yahoo Inc <YHOO.O>, which disclosed two massive data breaches last year, said on Wednesday that about 32 million user accounts were accessed by intruders in the last two years using forged cookies.

The company said some of the latest intrusions can be connected to the “same state-sponsored actor believed to be responsible for the 2014 breach”, in which at least 500 million accounts were affected.

“Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies,” Yahoo said in its latest annual filing.

These cookies have been invalidated so they cannot be used to access user accounts, the company said.

Forged cookies allow an intruder to access a user’s account without a password.

Yahoo also said in December that data from more than 1 billion user accounts was compromised in August 2013, making it the largest breach in history.

The company said on Wednesday that it would not award Chief Executive Marissa Mayer a cash bonus for 2016, following the independent committee’s findings related to the 2014 security incident.

Mayer has also offered to forgo any 2017 annual equity award as the breaches occurred during her tenure, Yahoo said.

Last month, Verizon Communications Inc <VZ.N>, which is in the process of buying Yahoo’s core assets, lowered its original offer by $350 million to $4.48 billion.

(Reporting by Rishika Sadam in Bengaluru; Editing by Anil D’Silva)

China warns against cyber ‘battlefield’ in internet strategy

A map of China is seen through a magnifying glass on a computer screen showing binary digits in Singapore in this January 2, 2014 photo illustration. REUTERS/Edgar Su

BEIJING (Reuters) – The strengthening of cyber capabilities is an important part of China’s military modernization, the government said on Wednesday, warning that the internet should not become “a new battlefield”.

China, home to the largest number of internet users, has long called for greater cooperation among countries in developing and governing the internet, while reiterating the need to respect “cyber sovereignty”.

But Beijing, which operates the world’s most sophisticated online censorship mechanism known elsewhere as the “Great Firewall”, has also signaled that it wants to rectify “imbalances” in the way standards across cyberspace are set.

“The building of national defense cyberspace capabilities is an important part of China’s military modernization,” the Foreign Ministry and the Cyberspace Administration of China, the country’s internet regulator, said in a strategy paper on the ministry’s website.

China will help the military in its important role of “safeguarding national cyberspace sovereignty, security and development interests” and “hasten the building of cyberspace capabilities”, they said, but also called on countries to “guard against cyberspace becoming a new battlefield”.

Countries should not engage in internet activities that harm nations’ security, interfere in their internal affairs, and “should not engage in cyber hegemony”.

“Enhancing deterrence, pursing absolute security and engaging in a (cyber) arms race – this is a road to nowhere,” Long Zhao, the Foreign Ministry’s coordinator of cyberspace affairs, said at a briefing on the strategy.

“China is deeply worried by the increase of cyber attacks around the world,” Long said.

The United States has accused China’s government and military of cyber attacks on U.S. government computer systems. China denies the accusations and says it is a victim of hacking.

A cyber attack from China crashed the website of South Korea’s Lotte Duty Free on Thursday, a company official said, at a time when South Korean firms are reporting difficulties in China following the deployment of a U.S. missile defense system in South Korea that China objects to.

While China’s influence in global technology has grown, its ruling Communist Party led by President Xi Jinping has presided over broader and more vigorous efforts to control and censor the flow of information online.

The “Great Firewall” blocks many social media services, such as Twitter, Facebook, YouTube, Instagram, Snapchat and Google, along with sites run by human rights groups and those of some foreign media agencies.

Chinese officials say the country’s internet is thriving and controls are needed for security and stability.

(Reporting by Michael Martina and Catherine Cadell; Editing by Nick Macfie)

EU needs common approach on testing banks’ cyber-risks: Dombrovskis

European Commission Vice-President Valdis Dombrovskis addresses a news conference on the European Semester Winter Package in Brussels, Belgium February 22, 2017. REUTERS/Francois Lenoir

BRUSSELS (Reuters) – European Union countries should test bank defenses against cyber-attacks using a common set of requirements, a senior EU official said on Tuesday, as the bloc plans measures to boost the retail market for financial products.

Cyber attacks against banks have increased in numbers and sophistication in recent years, raising questions on lenders’ capacity to protect their customers.

Seeking to reassure savers and strengthen financial stability, several EU countries are conducting tests on banks’ security systems, but EU authorities warned national initiatives may be less effective and more costly than a common EU approach.

“We want to avoid a proliferation of testing obligations that operate in different countries,” the EU commission’s vice president Valdis Dombrovskis told a conference in Brussels.

“We believe tests that meet comparable standards should be recognized across borders,” he added. This could pave the way for common stress-tests carried out at EU level, as suggested by EU officials in past weeks.

The call for higher cyber-security comes as the Commission prepares a policy action plan on retail financial services, such as insurance, loans and payments, that will be released in the coming weeks.

Dombrovskis said the plan would encourage the use of remote identification schemes, such as e-signature and e-identification, to try to boost consumers’ access to financial services and lower costs.

It will also attempt to facilitate the take-up of new technologies in the financial sector, where emerging fintech companies are challenging traditional actors in a range of services, including payments and insurance.

“Our focus should be on removing barriers to market entry and keeping our legislation proportionate,” Dombrovskis said, noting that changes may create new risks that need to be addressed with greater sharing of information among financial firms and common testing of security systems.

(Reporting by Francesco Guarascio; Editing by Keith Weir)

Homeland Security employees locked out of computer networks: sources

A U.S. Customs and Border Protection agent applauds President Donald Trump's remarks at Homeland Security headquarters in Washington, U.S. January 25, 2017. REUTERS/Jonathan Ernst

By Dustin Volz

WASHINGTON (Reuters) – U.S. Department of Homeland Security employees in the Washington area were unable to access some agency computer networks on Tuesday, according to three sources familiar with the matter.

It was not immediately clear how widespread the issue was or how significantly it affected daily functions at DHS, a large government agency whose responsibilities include immigration services, border security and cyber defense.

Employees began experiencing problems logging into networks at 5 a.m. ET on Tuesday due to a problem related to the personal identify verification (PIV) cards used by federal workers and contractors to access certain information systems, one source said. At least four DHS buildings were affected, the source said, including locations used by U.S. Citizenship and Immigration Services.

Another source said the cards did not appear to be responsible. DHS did not immediately respond to requests for comment.

President Donald Trump vowed to make cyber security a priority during his administration, following an election marred by hacks of Democratic Party emails that U.S. intelligence agencies concluded were carried out by Russia in order to help Trump, a Republican, win. At a White House event last month he said he would “hold my Cabinet secretaries and agency heads accountable, totally accountable, for the cyber security of their organizations.”

Trump had planned to sign a cyber security executive order last month but it was put on hold to allow more time for review.

(Reporting by Dustin Volz; Editing by Jonathan Oatis)