Tag Archives: Cyber Security

FBI warns automakers, owners about vehicle hacking risks

WASHINGTON (Reuters) – The FBI and U.S. National Highway Traffic Safety Administration (NHTSA) issued a bulletin Thursday warning that motor vehicles are “increasingly vulnerable” to hacking.

“The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” the agencies said in the bulletin.

In July 2015, Fiat Chrysler Automobiles NV recalled 1.4 million U.S. vehicles to install software after a magazine report raised concerns about hacking, the first action of its kind for the auto industry.

Also last year, General Motors Co issued a security update for a smartphone app that could have allowed a hacker to take control of some functions of a plug-in hybrid electric Chevrolet Volt, like starting the engine and unlocking the doors.

In January 2015, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have doors remotely opened by hackers.

“While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk,” the FBI bulletin said Thursday.

NHTSA Administrator Mark Rosekind told reporters in July 2015 that automakers must move fast to address hacking issues.

The Fiat Chrysler recall came after Wired magazine reported hackers could remotely take control of some functions of a 2014 Jeep Cherokee, including steering, transmission and brakes. NHTSA has said there has never been a real-world example of a hacker taking control of a vehicle.

Two major U.S. auto trade associations — the Alliance of Automobile Manufacturers and Association of Global Automakers — late last year opened an Information Sharing and Analysis Center. The groups share cyber-threat information and potential vulnerabilities in vehicles.

The FBI bulletin Thursday warned that criminals could exploit online vehicle software updates by sending fake “e-mail messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could be tricked into clicking links to malicious Web sites or opening attachments containing malicious software.”

(Reporting by David Shepardson; Editing by Kenneth Maxwell)

Cyber criminals snap up expired domains to serve malicious ads

(Reuters) – Expired domain names are becoming the latest route for cyber criminals to find their way into the computers of unsuspecting users.

Cyber criminals launched a malicious advertising campaign this week targeting visitors of popular news and entertainment websites after gaining ownership of an expired web domain of an advertising company.

Users visiting the websites of the New York Times, Newsweek, BBC and AOL, among others, may have installed malware on their computers if they clicked on the malicious ads.

Bresntsmedia.com, the website used by hackers to serve up malware, expired on Jan. 1 and was registered again on March 6 by a different buyer, security researchers at Trustwave SpiderLabs wrote in a blog. (http://bit.ly/1Ubu21f)

Buying the domain of a small but legitimate ad company provided the criminals with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, the researchers said.

New York Times spokesman Jordan Cohen said the company was investigating if the attack had any impact. “To be clear, this is impacting ads from third parties that are beyond our control.”

Newsweek, BBC and AOL could not be immediately reached for comment.

The researchers also found two more expired “media”-related domains – envangmedia.com and markets.shangjiamedia.com – used by the same cyber criminals.

The people behind the campaign may be on keeping a watch for expired domains with the word “media” in them, they said.

(Reporting by Supantha Mukherjee and Abhirup Roy in Bengaluru; Editing by Saumyadeb Chakrabarty)

Chinese hackers behind U.S. ransomware attacks, security firms say

(Reuters) – Hackers using tactics and tools previously associated with Chinese government-supported computer network intrusions have joined the booming cyber crime industry of ransomware, four security firms that investigated attacks on U.S. companies said.

Ransomware, which involves encrypting a target’s computer files and then demanding payment to unlock them, has generally been considered the domain of run-of-the-mill cyber criminals.

But executives of the security firms have seen a level of sophistication in at least a half dozen cases over the last three months akin to those used in state-sponsored attacks, including techniques to gain entry and move around the networks, as well as the software used to manage intrusions.

“It is obviously a group of skilled of operators that have some amount of experience conducting intrusions,” said Phil Burdette, who heads an incident response team at Dell SecureWorks.

Burdette said his team was called in on three cases in as many months where hackers spread ransomware after exploiting known vulnerabilities in application servers. From there, the hackers tricked more than 100 computers in each of the companies into installing the malicious programs.

The victims included a transportation company and a technology firm that had 30 percent of its machines captured.

Security firms Attack Research, InGuardians and G-C Partners, said they had separately investigated three other similar ransomware attacks since December.

Although they cannot be positive, the companies concluded that all were the work of a known advanced threat group from China, Attack Research Chief Executive Val Smith told Reuters.

The ransomware attacks have not previously been reported. None of the companies that were victims of the hackers agreed to be identified publicly.

Asked about the allegations, China’s Foreign Ministry said on Tuesday that if they were made with a “serious attitude” and reliable proof, China would treat the matter seriously.

But ministry spokesman Lu Kang said China did not have time to respond to what he called “rumors and speculation” about the country’s online activities.

The security companies investigating the advanced ransomware intrusions have various theories about what is behind them, but they do not have proof and they have not come to any firm conclusions.

Most of the theories flow from the possibility that the Chinese government has reduced its support for economic espionage, which it pledged to oppose in an agreement with the United States late last year. Some U.S. companies have reported a decline in Chinese hacking since the agreement.

Smith said some government hackers or contractors could be out of work or with reduced work and looking to supplement their income via ransomware.

It is also possible, Burdette said, that companies which had been penetrated for trade secrets or other reasons in the past were now being abandoned as China backs away, and that spies or their associates were taking as much as they could on the way out. In one of Dell’s cases, the means of access by the team spreading ransomware was established in 2013.

The cyber security experts could not completely rule out more prosaic explanations, such as the possibility that ordinary criminals had improved their skills and bought tools previously used only by governments.

Dell said that some of the malicious software had been associated by other security firms with a group dubbed Codoso, which has a record of years of attacks of interest to the Chinese government, including those on U.S. defense companies and sites that draw Chinese minorities.

PAYMENT IN BITCOIN

Ransomware has been around for years, spread by some of the same people that previously installed fake antivirus programs on home computers and badgered the victims into paying to remove imaginary threats.

In the past two years, better encryption techniques have often made it impossible for victims to regain access to their files without cooperation from the hackers. Many ransomware payments are made in the virtual currency Bitcoin and remain secret, but institutions including a Los Angeles hospital have gone public about ransomware attacks.

Ransomware operators generally set modest prices that many victims are willing to pay, and they usually do decrypt the files, which ensures that victims will post positively online about the transaction, making the next victims who research their predicament more willing to pay.

Security software companies have warned that because the aggregate payoffs for ransomware gangs are increasing, more criminals will shift to it from credit card theft and other complicated scams.

The involvement of more sophisticated hackers also promises to intensify the threat.

InGuardians CEO Jimmy Alderson said one of the cases his company investigated appeared to have been launched with online credentials stolen six months earlier in a suspected espionage hack of the sort typically called an Advanced Persistent Threat, or APT.

“The tactics of getting access to these networks are APT tactics, but instead of going further in to sit and listen stealthily, they are used for smash-and-grab,” Alderson said.

(Reporting by Joseph Menn in San Francisco; Additional reporting by Megha Rajagopalan in Beijing; Editing by Jonathan Weber and Clarence Fernandez)

Home Depot settles consumer lawsuit over big 2014 data breach

(Reuters) – Home Depot Inc has agreed to pay $13 million to compensate consumers affected by a massive 2014 data breach in which payment card or other personal data was stolen from more than 50 million people.

The home improvement retailer also agreed to pay $6.5 million to fund 1-1/2 years of identity protection services for card holders, and take steps to improve data security.

Terms of the preliminary settlement were disclosed in papers filed on Monday with the federal court in Atlanta, where Home Depot is based.

Court approval is required, and Home Depot did not admit wrongdoing or liability in agreeing to settle.

The company also agreed to pay legal fees of the plaintiffs’ lawyers, on top of the settlement fund.

“We wanted to put the litigation behind us, and this was the most expeditious path,” Home Depot spokesman Stephen Holmes said. “Customers were never responsible for any fraudulent charges.”

According to court papers, the settlement covers about 40 million people who had payment card data stolen, and 52 million to 53 million people who had email addresses stolen, with some overlap between the two groups.

The $13 million will compensate consumers with documented out-of-pocket losses or unreimbursed charges.

Home Depot has said the breach affected people who used payment cards on its self-checkout lines in U.S. and Canadian stores between April and September 2014.

In November, Home Depot said it had incurred $152 million of expenses from the breach, after accounting for expected insurance proceeds.

(Reporting by Jonathan Stempel in New York; Additional reporting by Nate Raymond; Editing by Chris Reese)

North Korea tried to hack South’s railway system, spy agency claims

SEOUL (Reuters) – North Korea has tried to hack into email accounts of South Korean railway workers in an attempt to attack the transport system’s control system, South Korea’s spy agency said on Tuesday.

South Korea has been on heightened alert against the threat of cyberattacks by North Korea after it conducted a nuclear test in January and a long-range rocket launch last month, triggering new U.N. sanctions.

South Korea had previously blamed the North for cyberattacks against its nuclear power operator. North Korea denied that.

South Korea’s National Intelligence Service (NIS) said in a statement it had interrupted the hacking attempt against the railway workers and closed off their email accounts.

The agency issued the statement after an emergency meeting with other government agencies on the threat of cyberattacks by the North.

The agency detected hacking attempts by the North against workers for two regional railway networks this year, the spy agency said.

“The move was a step to prepare for cyber terror against the railway transport control system,” the agency said.

It did not elaborate on what it thought North Korea’s specific objective was in hacking into the system. An agency official reached by telephone declined to comment.

North Korea has been working for years to develop the ability to disrupt or destroy computer systems that control public services such as telecommunications and other utilities, according to a defector from the North.

The United States accused North Korea of a cyberattack against Sony Pictures in 2014 that led to the studio cancelling the release of a comedy based on the fictional assassination of the country’s leader, Kim Jong Un.

North Korea denied the accusation.

In 2013, South Korea blamed the North for crippling cyber-attacks that froze the computer systems of its banks and broadcasters for days.

New fears of attacks on South Korea’s computer systems came as South Korean and U.S. troops conducted large-scale military exercises which North Korea denounced as “nuclear war moves” and threatened to respond with an all-out military offensive.

(Reporting by Jack Kim and Ju-min Park; Editing by Robert Birsel)

Mac ransomware caught before large number of computers infected

(Reuters) – The first known ransomware attack on Apple Inc’s Mac computers, which was discovered over the weekend, was downloaded more than 6,000 times before the threat was contained, according to a developer whose product was tainted with the malicious software.

Hackers infected Macs with the “KeRanger” ransomware through a tainted copy of Transmission, a popular program for transferring data through the BitTorrent peer-to-peer file sharing network.

So-called ransomware is a type of malicious software that restricts access to a computer system in some way and demands the user pay a ransom to the malware operators to remove the restriction.

KeRanger, which locks data on Macs so users cannot access it, was downloaded about 6,500 times before Apple and developers were able to thwart the threat, said John Clay, a representative for the open-source Transmission project.

That is small compared to the number of ransomware attacks on computers running Microsoft Corp’s Windows operating system. Cyber security firm Symantec Corp observed some 8.8 million attacks in 2014 alone.

Still, cyber security experts said they expect to see more attacks on Macs as the KeRanger hackers and other groups look for new ways to infect Mac computers.

“It’s a small number but these things always start small and ramp up huge,” said Fidelis Cybersecurity threat systems manager John Bambenek. “There’s a lot of Mac users out there and a lot of money to be made.”

Symantec, which sells anti-virus software for Macs, warned on its blog that “Mac users should not be complacent.” The post offered tips on protecting against ransomware.

The Transmission project provided few details about how the attack was launched.

“The normal disk image (was) replaced by the compromised one” after the project’s main server was hacked, said Clay.

He added that “security on the server has since been increased” and that the group was in “frequent contact” with Apple as well as Palo Alto Networks, which discovered the ransomware on Friday and immediately notified Apple and Transmission.

An Apple representative said the company quickly took steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs.

Transmission responded by removing the malicious 2.90 version of its software from its website. On Sunday, it released version 2.92, which its website says automatically removes the ransomware from infected Macs.

Forbes earlier reported on the number of KeRanger downloads, citing Clay.

(Reporting by Jim Finkle; Editing by Cynthia Osterman and Bill Rigby)

Apple users targeted in first known Mac ransomware campaign

BOSTON (Reuters) – Apple Inc customers were targeted by hackers over the weekend in the first campaign against Macintosh computers using a pernicious type of software known as ransomware, researchers with Palo Alto Networks Inc told Reuters on Sunday.

Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corp’s Windows operating system.

Palo Alto Threat Intelligence Director Ryan Olson said the “KeRanger” malware, which appeared on Friday, was the first functioning ransomware attacking Apple’s Mac computers.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Olson said in a telephone interview.

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.

When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware, the blog said.

An Apple representative said the company had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. The representative declined to provide other details.

Transmission responded by removing the malicious version of its software from its website. On Sunday it released a version that its website said automatically removes the ransomware from infected Macs.

The website advised Transmission users to immediately install the new update, version 2.92, if they suspected they might be infected.

Palo Alto said on its blog that KeRanger is programmed to stay quiet for three days after infecting a computer, then connect to the attacker’s server and start encrypting files so they cannot be accessed.

After encryption is completed, KeRanger demands a ransom of 1 bitcoin, or about $400, the blog said.

Olson, the Palo Alto threat intelligence director, said that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission’s site.

Representatives with Transmission could not be reached for comment.

(Editing by Jeffrey Benkoe and Sandra Maler)

21st Century Oncology investigating cyber breach

(Reuters) – Cancer care provider 21st Century Oncology Holdings Inc said it was investigating a breach of its computer network, but had no indication that patient information had been misused.

The Federal Bureau of Investigation had advised the company of the breach in November but had asked it to hold off on making an announcement so as to not impede the investigation, 21st Century Oncology said on Friday.

The Fort Myers, Florida-based company operates 145 cancer treatment centers in the United States and 36 in Latin America.

The company said an investigation by a forensics firm it had hired showed that the intruder may have gained access to its database in early October.

The database contains personal information of some patients, including their names, social security numbers, physicians, diagnoses and treatment, as well as insurance data, the company said.

The FBI said on Friday the investigation remained ongoing and no further comments would be provided for now.

21st Century Oncology is notifying about 2.2 million of its current and former patients that certain information may have been copied and transferred, the company said in a regulatory filing.

The company said it would offer one year of free identity protection services to the affected individuals.

(Reporting by Natalie Grover in Bengaluru; Editing by Saumyadeb Chakrabarty)

U.S. tech companies unite behind Apple ahead of iPhone encryption ruling

(Reuters) – Alphabet Inc’s Google, Facebook Inc, Microsoft Corp and several other Internet and technology companies will file a joint legal brief on Thursday asking a judge to support Apple Inc in its encryption battle with the U.S. government, sources familiar with the companies’ plans said.

The effort is a rare display of unity and support for the iPhone maker from companies which are competitors in many areas, and shows the breadth of Silicon Valley’s opposition to the government’s anti-encryption effort.

The fight between Apple and the government became public last month when the U.S. Federal Bureau of Investigation obtained a court order requiring Apple to write new software and take other measures to disable passcode protection and allow access to an iPhone used by one of the San Bernardino shooters in December.

Apple has pushed back, arguing that such a move would set a dangerous precedent and threaten customer security. The clash has intensified a long-running debate over how much law enforcement and intelligence officials should be able to monitor digital communications.

The group of tech companies plans to file what is known as an amicus brief – a form of comment from outside groups common in complex cases – to the Riverside, California, federal judge Sheri Pym. She will rule on Apple’s appeal of a court order that would force it to create software to unlock the iPhone.

The companies will contest government arguments that the All Writs Act, a broad 1789 law that enables judges to require actions necessary to enforce their own orders, compels Apple to comply with its request.

In their joint brief, the tech companies will say that Congress passed the All Writs Act before the invention of the light bulb, and that it goes too far to contend that the law can be used to force engineers to disable security protections, according to a source familiar with their arguments.

Google, Facebook and others also appear to be tailoring their arguments specifically to a U.S. Supreme Court audience, where the case may end up. The brief will highlight a unanimous 2014 U.S. Supreme Court case which said law enforcement needs warrants to access smartphones snared in an arrest, the source said.

That opinion, penned by Chief Justice John Roberts, united the Supreme Court’s liberal and conservative factions.

Briefs are also expected in support of the government.

Stephen Larson, a former federal judge, told Reuters last week that he is working on a brief with victims of the San Bernardino shooting who want the FBI to be able to access the data on the phone used by Rizwan Farook. “They were targeted by terrorists, and they need to know why, how this could happen,” Larson said.

Several other tech companies are joining Google, Facebook and Microsoft.

Mozilla, maker of the Firefox web browser, said it was participating, along with online planning tool maker Evernote and messaging app firms Snapchat and WhatsApp. Bookmarking and social media site Pinterest and online storage firm Dropbox are also participating.

“We stand against the use of broad authorities to undermine the security of a company’s products,” Dropbox General Counsel Ramsey Homsany said in a statement.

A separate group including Twitter Inc, eBay Inc, LinkedIn Corp and more than a dozen other tech firms filed a brief with the court in support of Apple on Thursday. AT&T Inc filed its own brief.

Networking leader Cisco Systems Inc said it expected to address the court on Apple’s behalf, but did not say whether it was joining with the large group of companies.

Semiconductor maker Intel Corp plans to file a brief of its own in support of Apple, said Chris Young, senior vice president and general manager for Intel Security Group.

“We believe that tech companies need to have the ability to build and design their products as needed, and that means that we can’t have the government mandating how we build and design our products,” Young said in an interview.

The Stanford Law School for Internet and Society filed a separate brief on Thursday morning on behalf of a group of well-known experts on iPhone security and encryption, including Charlie Miller, Dino Dai Zovi, Bruce Schneier and Jonathan Zdziarski.

Privacy advocacy groups the American Civil Liberties Union, Access Now and the Wickr Foundation filed briefs on Wednesday in support of Apple before Thursday’s deadline set by Pym.

Salihin Kondoker, whose wife Anies Kondoker was injured in the San Bernardino attack, also wrote on Apple’s behalf, saying he shared the company’s fear that the software the government wants Apple to create to unlock the phone could be used to break into millions of other phones.

“I believe privacy is important and Apple should stay firm in their decision,” the letter said. “Neither I, nor my wife, want to raise our children in a world where privacy is the tradeoff for security.”

Law enforcement officials have said that Farook and his wife, Tashfeen Malik, were inspired by Islamist militants when they shot and killed 14 people and wounded 22 others last Dec. 2 at a holiday party. Farook and Malik were later killed in a shootout with police and the FBI said it wants to read the data on Farook’s phone to investigate any links with militant groups.

Earlier this week, a Brooklyn judge ruled that the government had overstepped its authority by seeking similar assistance from Apple in a drug case.

(Reporting by Jim Finkle in Boston and Dustin Volz in San Francisco; Additional reporting by Dan Levine, Heather Somerville, Sarah McBride, Julia Love in San Francisco; Editing by Jonathan Weber, Grant McCool and Bill Rigby)

NSA chief says ‘when, not if’ foreign country hacks U.S. infrastructure

SAN FRANCISCO (Reuters) – The U.S. National Security Agency chief said on Tuesday it was a “matter of when, not if” a foreign nation-state attempts to launch a cyber attack on the U.S. critical infrastructure, citing the recent hack on Ukraine’s power grid as a cause for concern.

Speaking at the RSA cyber security conference in San Francisco, Admiral Michael Rogers said he was also worried about data manipulation and potential offensive cyber threats posed by non-nation-state actors such as Islamic State.

The U.S. government said last week a December blackout in Ukraine that affected 225,000 customers was the result of a cyber attack, supporting what most security researchers had already concluded.

Some private researchers have linked the incident to a Russian hacking group known as “Sandworm.”

(Reporting by Dustin Volz; Editing by Jeffrey Benkoe)