New genre of artificial intelligence programs take computer hacking to another level

FILE PHOTO: Servers for data storage are seen at Advania's Thor Data Center in Hafnarfjordur, Iceland August 7, 2015. REUTERS/Sigtryggur Ari

By Joseph Menn

SAN FRANCISCO (Reuters) – The nightmare scenario for computer security – artificial intelligence programs that can learn how to evade even the best defenses – may already have arrived.

That warning from security researchers is driven home by a team from IBM Corp. who have used the artificial intelligence technique known as machine learning to build hacking programs that could slip past top-tier defensive measures. The group will unveil details of its experiment at the Black Hat security conference in Las Vegas on Wednesday.

State-of-the-art defenses generally rely on examining what the attack software is doing, rather than the more commonplace technique of analyzing software code for danger signs. But the new genre of AI-driven programs can be trained to stay dormant until they reach a very specific target, making them exceptionally hard to stop.

No one has yet boasted of catching any malicious software that clearly relied on machine learning or other variants of artificial intelligence, but that may just be because the attack programs are too good to be caught.

Researchers say that, at best, it’s only a matter of time. Free artificial intelligence building blocks for training programs are readily available from Alphabet Inc’s Google and others, and the ideas work all too well in practice.

“I absolutely do believe we’re going there,” said Jon DiMaggio, a senior threat analyst at cybersecurity firm Symantec Corp. “It’s going to make it a lot harder to detect.”

The most advanced nation-state hackers have already shown that they can build attack programs that activate only when they have reached a target. The best-known example is Stuxnet, which was deployed by U.S. and Israeli intelligence agencies against a uranium enrichment facility in Iran.

The IBM effort, named DeepLocker, showed that a similar level of precision can be available to those with far fewer resources than a national government.

In a demonstration using publicly available photos of a sample target, the team used a hacked version of video conferencing software that swung into action only when it detected the face of a target.

“We have a lot of reason to believe this is the next big thing,” said lead IBM researcher Marc Ph. Stoecklin. “This may have happened already, and we will see it two or three years from now.”

At a recent New York conference, Hackers on Planet Earth, defense researcher Kevin Hodges showed off an “entry-level” automated program he made with open-source training tools that tried multiple attack approaches in succession.

“We need to start looking at this stuff now,” said Hodges. “Whoever you personally consider evil is already working on this.”

(Reporting by Joseph Menn; Editing by Jonathan Weber and Susan Fenton)

Facebook fakers get better at covering tracks, security experts say

FILE PHOTO: People are silhouetted as they pose with mobile devices in front of a screen projected with a Facebook logo, in this picture illustration taken in Zenica, October 29, 2014. REUTERS/Dado Ruvic/File Photo

By Christopher Bing

WASHINGTON (Reuters) – Creators of fake accounts and news pages on Facebook are learning from their past mistakes and making themselves harder to track and identify, posing new challenges in preventing the platform from being used for political misinformation, cybersecurity experts say.

This was apparent as Facebook tried to determine who created pages it said were aimed at sowing dissension among U.S. voters ahead of congressional elections in November. The company said on Tuesday it had removed 32 fake pages and accounts from Facebook and Instagram involved in what it called “coordinated inauthentic behavior.”

While the United States improves its efforts to monitor and root out such intrusions, the intruders keep getting better at it, said cyber security experts interviewed over the past two days.

Ben Nimmo, a senior fellow at the Washington-based Digital Forensic Research Lab, said he had noticed the latest pages used less original language, rather cribbing from copy already on the internet.

“Linguistic mistakes would give them away before, between 2014 and 2017,” Nimmo told Reuters. “In some of these newer cases it seems they’ve caught on to that by writing less (original material) when posting things. With their longer posts sometimes it’s just pirated, copy and pasted from some American website. That makes them less suspicious.”

Facebook’s prior announcement on the topic of fake accounts, in April, directly connected a Russian group known as the Internet Research Agency to a myriad of posts, events and propaganda that were placed on Facebook leading up to the 2016 U.S. presidential election.

This time, Facebook did not identify the source of the misinformation.

“It’s clear that whoever set up these accounts went to much greater lengths to obscure their true identities than the Russian-based Internet Research Agency (IRA) has in the past,” the company said in a blog post on Tuesday announcing the removal of the pages. “Our technical forensics are insufficient to provide high confidence attribution at this time.”

Facebook said it had shared evidence connected to the latest flagged posts with several private sector partners, including the Digital Forensic Research Lab, an organization founded by the Atlantic Council, a Washington think tank.

Facebook also said the use of virtual private networks, internet phone services, and domestic currency to pay for advertisements helped obfuscate the source of the accounts and pages. The perpetrators also used a third party, which Facebook declined to name, to post content.

Facebook declined to comment further, referring back to its blog post.

U.S. President Donald Trump’s top national security aides said on Thursday that Russia is behind “pervasive” attempts to interfere in November’s elections and that they expect attempts by Russia, and others, will continue into the 2020 elections.

They say they are concerned that attempts will be made to foment confusion and anger among various political groups in the United States and cause a distrust of the electoral process.

Two U.S. intelligence officials who requested anonymity told Reuters this week there was insufficient evidence to conclude that Russia was behind the latest Facebook campaign. However, one said, “the similarities, aims and methodology relative to the 2016 Russian campaign are quite striking.”

‘PREVIOUS MISTAKES’

Experts who track online disinformation campaigns said the groups who launch such efforts have changed how they post content and create posts.

“These actors are learning from previous mistakes,” said John Kelly, chief executive of social media intelligence firm Graphika, adding they do not use the same internet addresses or pay in foreign currency.

“And as more players in the world learn these dark arts, it’s easier for them to hide among the multiple actors deploying the same playbook,” he said.

Philip Howard, an Oxford University professor of internet studies and director of the Oxford Internet Institute, said that suspicious social media accounts like those taken down this week were once more easily identifiable because they shared the same information from high-profile publications like RT, the Russian English-language news service, or Breitbart News Network.

But now, the content they often share is more diverse and less discernible, coming from lesser known sites, including internet forums that mix political news with other topics, he said.

“The junk news they’re sharing is using better quality images, for example, more believable domains, less-known websites, smaller blogs,” Howard added.

U.S. intelligence agencies have concluded that Russia meddled in the 2016 presidential campaign using tactics including fake Facebook accounts. The Internet Research Agency was one of three Russian companies charged in February by U.S. Special Counsel Robert Mueller with conspiracy to tamper with the 2016 election.

Moscow has denied any election interference.

(Reporting by Christopher Bing in Washington; Additional reporting by John Walcott; Editing by Damon Darlin and Frances Kerry)

Pentagon creating software ‘do not buy’ list to keep out Russia, China

FILE PHOTO: An aerial view of the Pentagon building in Washington, June 15, 2005. REUTERS/Jason Reed

By Mike Stone

WASHINGTON (Reuters) – The Pentagon is working on a software “do not buy” list to block vendors who use software code originating from Russia and China, a top Defense Department acquisitions official said on Friday.

Ellen Lord, the undersecretary of defense for acquisition and sustainment, told reporters the Pentagon had been working for six months on a “do not buy” list of software vendors. The list is meant to help the Department of Defense’s acquisitions staff and industry partners avoid buying problematic code for the Pentagon and suppliers.

“What we are doing is making sure that we do not buy software that has Russian or Chinese provenance, for instance, and quite often that’s difficult to tell at first glance because of holding companies,” she told reporters gathered in a conference room near her Pentagon office.

The Pentagon has worked closely with the intelligence community, she said, adding “we have identified certain companies that do not operate in a way consistent with what we have for defense standards.”

Lord did not provide any further details on the list.

Lord’s comments were made ahead of the likely passage of the Pentagon’s spending bill by Congress as early as next week. The bill contains provisions that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military.

The legislation was drafted after a Reuters investigation found that software makers allowed a Russian defense agency to hunt for vulnerabilities in software used by some agencies of the U.S. government, including the Pentagon and intelligence agencies.

Security experts said allowing Russian authorities to look into the internal workings of software, known as source code, could help adversaries like Moscow or Beijing to discover vulnerabilities they could exploit to more easily attack U.S. government systems.

Lord added an upcoming report on the U.S. military supply chain will show that the Pentagon depends on foreign suppliers, including Chinese firms, for components in some military equipment.

She said the Pentagon also wants to strengthen its suppliers’ ability to withstand cyber attacks and will test their cybersecurity defenses by attempting to hack them.

The Pentagon disclosed the measures as the federal government looks to bolster cyber defenses following attacks on the United States that the government has blamed on Russia, North Korea, Iran, and China.

The Department of Homeland Security this week disclosed details about a string of cyber attacks that officials said put hackers working on behalf of the Russian government in a position where they could manipulate some industrial systems used to control infrastructure, including at least one power generator.

(Reporting by Mike Stone; Editing by Chris Sanders, Bernadette Baum and Jonathan Oatis)

Tech firms, including Microsoft, Facebook, vow not to aid government cyber attacks

Silhouettes of mobile users are seen next to a screen projection of Microsoft logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration

By Dustin Volz

SAN FRANCISCO (Reuters) – Microsoft, Facebook and more than 30 other global technology companies on Tuesday announced a joint pledge not to assist any government in offensive cyber attacks.

The Cybersecurity Tech Accord, which vows to protect all customers from attacks regardless of geopolitical or criminal motive, follows a year that witnessed an unprecedented level of destructive cyber attacks, including the global WannaCry worm and the devastating NotPetya attack.

“The devastating attacks from the past year demonstrate that cyber security is not just about what any single company can do but also about what we can all do together,” Microsoft President Brad Smith said in a statement. “This tech sector accord will help us take a principled path toward more effective steps to work together and defend customers around the world.”

Smith, who helped lead efforts to organize the accord, was expected to discuss the alliance in a speech on Tuesday at the RSA cyber security conference in San Francisco.

The accord also promised to establish new formal and informal partnerships within the industry and with security researchers to share threats and coordinate vulnerability disclosures.

The pledge builds on an idea for a so-called Digital Geneva Convention Smith rolled out at least year’s RSA conference, a proposal to create an international body to protect civilians from state-sponsored hacking.

Countries, Smith said then, should develop global rules for cyber attacks similar to those established for armed conflict at the 1949 Geneva Convention that followed World War Two.

In addition to Microsoft and Facebook, 32 other companies signed the pledge, including Cisco, Juniper Networks, Oracle, Nokia, SAP, Dell and cyber security firms Symantec, FireEye and Trend Micro.

The list of companies does not include any from Russia, China, Iran or North Korea, widely viewed as the most active in launching destructive cyber attacks against their foes.

Major U.S. technology companies Amazon, Apple, Alphabet and Twitter also did not sign the pledge.

(Reporting by Dustin Volz; Editing by Dan Grebler)

FBI chief calls unbreakable encryption ‘urgent public safety issue’

FILE PHOTO: FBI Director Christopher Wray delivers remarks to a graduation ceremony at the FBI Academy on the grounds of Marine Corps Base Quantico in Quantico, Virginia, U.S. December 15, 2017.

By Dustin Volz

NEW YORK (Reuters) – The inability of law enforcement authorities to access data from electronic devices due to powerful encryption is an “urgent public safety issue,” FBI Director Christopher Wray said on Tuesday as he sought to renew a contentious debate over privacy and security.

The Federal Bureau of Investigation was unable to access data from nearly 7,800 devices in the fiscal year that ended Sept. 30 with technical tools despite possessing proper legal authority to pry them open, a growing figure that impacts every area of the agency’s work, Wray said during a speech at a cyber security conference in New York.

The FBI has been unable to access data in more than half of the devices that it tried to unlock due to encryption, Wray added.

“This is an urgent public safety issue,” Wray added, while saying that a solution is “not so clear cut.”

Technology companies and many digital security experts have said that the FBI’s attempts to require that devices allow investigators a way to access a criminal suspect’s cellphone would harm internet security and empower malicious hackers. U.S. lawmakers, meanwhile, have expressed little interest in pursuing legislation to require companies to create products whose contents are accessible to authorities who obtain a warrant.

Wray’s comments at the International Conference on Cyber Security were his most extensive yet as FBI director about the so-called Going Dark problem, which his agency and local law enforcement authorities for years have said bedevils countless investigations. Wray took over as FBI chief in August.

The FBI supports strong encryption and information security broadly, Wray said, but described the current status quo as untenable.

“We face an enormous and increasing number of cases that rely heavily, if not exclusively, on electronic evidence,” Wray told an audience of FBI agents, international law enforcement representatives and private sector cyber professionals. A solution requires “significant innovation,” Wray said, “but I just do not buy the claim that it is impossible.”

Wray’s remarks echoed those of his predecessor, James Comey, who before being fired by President Donald Trump in May frequently spoke about the dangers of unbreakable encryption.

Tech companies and many cyber security experts have said that any measure ensuring that law enforcement authorities are able to access data from encrypted products would weaken cyber security for everyone.

U.S. officials have said that default encryption settings on cellphones and other devices hinder their ability to collect evidence needed to pursue criminals.

The matter came to a head in 2016 when the Justice Department tried unsuccessfully to force Apple Inc to break into an iPhone used by a gunman during a mass shooting in San Bernardino, California.

The Trump administration at times has taken a tougher stance on the issue than former President Barack Obama’s administration. U.S. Deputy Attorney General Rod Rosenstein in October chastised technology companies for building strongly encrypted products, suggesting Silicon Valley is more willing to comply with foreign government demands for data than those made by their home country.

(Reporting by Dustin Volz; Editing by Will Dunham)

Hackers halt plant operations in watershed cyber attack

Hackers halt plant operations in watershed cyber attack

By Jim Finkle

(Reuters) – Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted.

FireEye Inc <FEYE.O> disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE <SCHN.PA>.

Schneider confirmed that the incident had occurred and that it had issued a security alert to users of Triconex, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants.

FireEye and Schneider declined to identify the victim, industry or location of the attack. Cyber-security company Dragos said the hackers targeted an organization in the Middle East, while a second firm, CyberX, said it believe the victim was in Saudi Arabia.

It marks the first report of a safety system breach at an industrial plant by hackers, who have in recent years placed increasing attention on breaking into utilities, factories and other types of critical infrastructure, cyber experts said.

Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks, they said.

Safety systems “could be fooled to indicate that everything is okay,” even as hackers damage a plant, said Galina Antova, co-founder of cyber-security firm Claroty.

“This is a watershed,” said Sergio Caltagirone, head of threat intelligence with Dragos. “Others will eventually catch up and try to copy this kind of attack.”

In the incident, hackers used sophisticated malware to take remote control of a workstation running a Schneider Electric Triconex safety shutdown system, then sought to reprogram controllers used to identify safety issues. Some controllers entered a fail safe mode, which caused related processes to shut down and caused the plant to identify the attack, FireEye said.

FireEye believes the attacker’s actions inadvertently caused the shutdown while probing the system to learn how it worked, said Dan Scali, who led FireEye’s investigation.

The attackers were likely conducting reconnaissance to learn how they could modify safety systems so they would not operate in the event that the hackers intended to launch an attack that disrupted or damaged the plant, he said.

PUBLIC WARNINGS

The U.S. government and private cyber-security firms have issued public warnings over the past few years about attempts by hackers from nations including Iran, North Korea and Russia and others to attack companies that run critical infrastructure plants in what they say are primarily reconnaissance operations.

CyberX Vice President Phil Neray said his firm found evidence that the malware was deployed in Saudi Arabia, which could suggest that Iran may be behind the attack.

Security researchers widely believe that Iran was responsible for a series of attacks on Saudi Arabian networks in 2012 and 2017 using a virus known as Shamoon.

Schneider provided Reuters with a customer security alert, dated Wednesday, which said it was working with the U.S. Department of Homeland Security to investigate the attack.

“While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors,” the alert said.

Department of Homeland Security spokesman Scott McConnell said the agency was looking into the matter “to assess the potential impact on critical infrastructure.”

The malware, which FireEye has dubbed Triton, is only the third type of computer virus discovered to date that is capable of disrupting industrial processes.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.

The second, known as Crash Override or Industroyer, was discovered last year by researchers who said it was likely used in a December 2016 attack that cut power in Ukraine.

(Reporting by Jim Finkle in Toronto; Editing by Susan Thomas)

NATO mulls ‘offensive defense’ with cyber warfare rules

NATO mulls 'offensive defense' with cyber warfare rules

By Robin Emmott

TARTU, Estonia (Reuters) – A group of NATO allies are considering a more muscular response to state-sponsored computer hackers that could involve using cyber attacks to bring down enemy networks, officials said.

The United States, Britain, Germany, Norway, Spain, Denmark and the Netherlands are drawing up cyber warfare principles to guide their militaries on what justifies deploying cyber attack weapons more broadly, aiming for agreement by early 2019.

The doctrine could shift NATO’s approach from being defensive to confronting hackers that officials say Russia, China and North Korea use to try to undermine Western governments and steal technology.

“There’s a change in the (NATO) mindset to accept that computers, just like aircraft and ships, have an offensive capability,” said U.S. Navy Commander Michael Widmann at the NATO Cooperative Cyber Defence Centre of Excellence, a research center affiliated to NATO that is coordinating doctrine writing.

Washington already has cyber weapons, such as computer code to take down websites or shut down IT systems, and in 2011 declared that it would respond to hostile cyber acts.

The United States, and possibly Israel, are widely believed to have been behind “Stuxnet”, a computer virus that destroyed nuclear centrifuges in Iran in 2010. Neither has confirmed it.

Some NATO allies believe shutting down an enemy power plant through a cyber attack could be more effective than air strikes.

“I need to do a certain mission and I have an air asset, I also have a cyber asset. What fits best for the me to get the effect I want?” Widmann said.

The 29-nation NATO alliance recognized cyber as a domain of warfare, along with land, air and sea, in 2014, but has not outlined in detail what that entails.

In Europe, the issue of deploying malware is sensitive because democratic governments do not want to be seen to be using the same tactics as an authoritarian regime. Commanders and experts have focused on defending their networks and blocking attempts at malicious manipulation of data.

Senior Baltic and British security officials say they have intelligence showing persistent Russian cyber hacks to try to bring down European energy and telecommunications networks, coupled with Internet disinformation campaigns.

They believe Russia is trying to break Western unity over economic sanctions imposed over Moscow’s 2014 annexation of Crimea and its support for separatists in eastern Ukraine.

“They (Russia) are seeking to attack the cohesion of NATO,” said a senior British security official, who said the balance between war and peace was becoming blurred in the virtual world. “It looks quite strategic.”

Moscow has repeatedly denied any such cyber attacks.

ESTONIAN ‘CYBER COMMAND’

The United States, Britain, the Netherlands, Germany and France have “cyber commands” — special headquarters to combat cyber espionage and hacks of critical infrastructure.

Estonia, which was hit by one of the world’s first large-scale cyber attacks a decade ago, aims to open a cyber command next year and make it fully operational by 2020, with offensive cyber weapons.

“You cannot only defend in cyberspace,” said Erki Kodar, Estonia’s undersecretary for legal and administrative affairs who oversees cyber policy at the defense ministry.

Across the globe this year computer hackers have disrupted multinational firms, ports and public services on an unprecedented scale, raising awareness of the issue.

NATO held its biggest ever cyber exercise this week at a military base in southern Estonia, testing 25 NATO allies against a fictional state-sponsored hacker group seeking to infiltrate NATO air defense and communication networks.

“The fictional scenarios are based on real threats,” said Estonian army Lieutenant-Colonel Anders Kuusk, who ran the exercise.

NATO’s commanders will not develop cyber weapons but allied defense ministers agreed last month that NATO commanders can request nations to allow them use of their weapons if requested.

(Reporting by Robin Emmott; Editing by Peter Graff)

UK shipping firm Clarkson reports cyber attack

UK shipping firm Clarkson reports cyber attack

(Reuters) – British shipping services provider Clarkson Plc <CKN.L> on Wednesday said it was the victim of a cyber security hack and warned that the person or persons behind the attack may release some data shortly.

The company’s disclosure, while a relatively rare event in Britain, follows a series of high-profile hacks in corporate America.

Clarkson is one of the world’s main shipbrokers, sourcing vessels for the world’s largest producers and traders of natural resources. It also has a research operation which collects and analyses data on merchant shipping and offshore markets.

The London-headquartered company said it had been working with the police on the incident but did not provide any details about the scale or type of data stolen.

“As soon as it was discovered, Clarksons took immediate steps to respond to and manage the incident,” the company said.

“Our initial investigations have shown the unauthorized access was gained via a single and isolated user account which has now been disabled.”

The company said it is in the process of contacting potentially affected clients and individuals directly, and that it has been working with data security specialists to probe further.

(Reporting by Rahul B in Bengaluru; Editing by Maju Samuel and Patrick Graham)

Millions of insecure gadgets exposed in European cities: report

Millions of insecure gadgets exposed in European cities: report

LONDON (Reuters) – A year after a wave of denial-of-service attacks knocked out major websites around the world, millions of unsecured printers, network gear and webcams remain undefended against attack across major European cities, a report published on Tuesday said.

Computer security company Trend Micro <4704.T> said that Berlin has more than 2.8 million insecure devices, followed closely by London with more than 2.5 million exposed gadgets. Among the top 10 capitals, Rome was lowest with nearly 300,000 visible unsecured devices, the researchers said.

The study was based on calculating the number of exposed devices in major European cities using Shodan, a search engine that helps to identify internet-linked equipment.

Trend Micro said that electronics users must take responsibility for managing their own internet-connected devices because of the failure by many gadget manufacturers to build in up-front security by default in their products.

The warning comes one year after a wave of attacks using so-called botnets of infected devices caused outages on popular websites and knocked 900,000 Deutsche Telekom <DTEGn.DE> users off the internet. (http://reut.rs/2BjdRII)

Computer experts say the failure to patch millions of insecure devices after last year’s Mirai denial-of-service attacks means it is only a question of time before further broad-based outages occur.

Research company Gartner recently forecast that there would be 8.4 billion connected products or devices in 2017, up 31 percent from 2016, and expects the number to triple by 2020. (https://goo.gl/thR54Q)

(Reporting by Jamillah Knowles; Editing by Eric Auchard and David Goodman)

U.S. government warns businesses about cyber bug in Intel chips

U.S. government warns businesses about cyber bug in Intel chips

By Stephen Nellis and Jim Finkle

(Reuters) – The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability.

The Department of Homeland Security gave the guidance a day after Intel said it had identified security vulnerabilities in remote-management software known as “Management Engine” that shipped with eight types of processors used in business computers sold by Dell Technologies Inc, Lenovo Group Ltd, HP Inc, Hewlett Packard Enterprise Co and other manufacturers.

Security experts said that it was not clear how difficult it would be to exploit the vulnerabilities to launch attacks, though they found the disclosure troubling because the affected chips were widely used.

“These vulnerabilities affect essentially every business computer and server with an Intel processor released in the last two years,” said Jay Little, a security engineer with cyber consulting firm Trail of Bits.

For a remote attack to succeed, a vulnerable machine would need to be configured to allow remote access, and a hacker would need to know the administrator’s user name and password, Little said. Attackers could break in without those credentials if they have physical access to the computer, he said.

Intel said that it knew of no cases where hackers had exploited the vulnerability in a cyber attack.

The Department of Homeland Security advised computer users to review the warning from Intel, which includes a software tool that checks whether a computer has a vulnerable chip. It also urged them to contact computer makers to obtain software updates and advice on strategies for mitigating the threat. (http://bit.ly/2zqhccw)

Intel spokeswoman Agnes Kwan said the company had provided software patches to fix the issue to all major computer manufacturers, though it was up to them to distribute patches to computers users.

Dell’s support website offered patches for servers, but not laptop or desktop computers, as of midday Tuesday. Lenovo offered fixes for some servers, laptops and tablets and said more updates would be available Friday. HP posted patches to its website on Tuesday evening.

Security experts noted that it could take time to fix vulnerable systems because installing patches on computer chips is a difficult process.

“Patching software is hard. Patching hardware is even harder,” said Ben Johnson, co-founder of cyber startup Obsidian Security.

(Reporting by Stephen Nellis; Editing by Cynthia Osterman and Grant McCool)