China cyber watchdog rejects censorship critics, says internet must be ‘orderly’

China cyber watchdog rejects censorship critics, says internet must be 'orderly'

BEIJING (Reuters) – China’s top cyber authority on Thursday rejected a recent report ranking it last out of 65 countries for press freedom, saying the internet must be “orderly” and the international community should join it in addressing fake news and other cyber issues.

Ren Xianliang, vice minister of the Cyberspace Administration of China (CAC), said the rapid development of the country’s internet over two decades is proof of its success and that it advocates for the free flow of information.

“We should not just make the internet fully free, it also needs to be orderly… The United States and Europe also need to deal with these fake news and rumors” Ren told journalists without elaborating.

China enforces strict internet censorship rules, which have hardened this year with new restrictions on media outlets and surveillance measures for social media sites.

On Tuesday, U.S. NGO Freedom House released an annual report ranking China last in terms of internet freedom for the third year in a row, criticizing censorship activity targeting ethnic minorities, media and regular citizens.

The report also said the manipulation of social media had undermined elections in 18 countries over the past year.

This year China brought in new rules banning virtual private networks (VPNs) and other methods used to circumvent the country’s Great Firewall, which blocks foreign social media and news sites in the country.

The Cyberspace Administration also introduced laws making members of messaging app groups legally liable for content deemed offensive to socialist values.

It comes as China prepares to host the World Internet Conference, the country’s top public cyber policy forum, next month, where members of international governments and the UN will join local officials for a series of discussions on cyber governance.

Several foreign tech firms will also attend the event, including representatives from Facebook Inc, which is blocked behind the Great Firewall but used regularly abroad by Chinese state media outlets.

Ren on Thursday said China welcomed foreign firms to work in the country, on the condition that they abide by local rules and regulations.

(Reporting by Cate Cadell; Editing by Hugh Lawson)

Trump administration to release rules on disclosing cyber flaws: source

Trump administration to release rules on disclosing cyber flaws: source

By Dustin Volz

WASHINGTON (Reuters) – The Trump administration is expected to publicly release on Wednesday its rules for deciding whether to disclose cyber security flaws or keep them secret, a national security official told Reuters.

The move is an attempt by the U.S. government to address criticism that it too often jeopardizes internet security by stockpiling the cyber vulnerabilities it detects in order to preserve its ability to launch its own attacks on computer systems.

The revised rules, expected to be published on whitehouse.gov, are intended to make the process for how various federal agencies weigh the costs of keeping a flaw secret more transparent, said the official, who spoke on condition of anonymity because the rules were not yet public.

Under former President Barack Obama, the U.S. government created an inter-agency review, known as the Vulnerability Equities Process, to determine what to do with flaws unearthed primarily by the National Security Agency.

The process is designed to balance law enforcement and U.S. intelligence desires to hack into devices with the need to warn manufacturers so that they can patch holes before criminals and other hackers take advantage of them.

The new Trump administration rules will name the agencies involved in the process and include more of them than before, such as the Departments of Commerce, Treasury and State, the official said.

Rob Joyce, the White House cyber security coordinator, has previewed the new rules in recent public appearances.

“It will include the criteria that the panel weighs, and it will also include the participants,” Joyce said last month at a Washington Post event. He said the Trump administration wanted to end the “smoke-filled room mystery” surrounding the process.

Some security experts have long criticized the process as overly secretive and too often erring against disclosure.

The criticism grew earlier this year when a global ransomware attack known as WannaCry infected computers in at least 150 countries, knocking hospitals offline and disrupting services at factories.

The attack was made possible because of a flaw in Microsoft’s Windows software that the NSA had used to build a hacking tool for its own use.

But in a breach U.S. investigators are still working to understand, that tool and others ended up in the hands of a mysterious group called the Shadow Brokers, which then published them online.

Suspected North Korean hackers spotted the Windows flaw and repurposed it to unleash the WannaCry attack, according to cyber experts. North Korea has routinely denied involvement in cyber attacks against other countries.

 

(Reporting by Dustin Volz; editing by Grant McCool)

 

Travelers says it is in ‘right spot’ for cyber insurance exposure

Travelers says it is in 'right spot' for cyber insurance exposure

By Suzanne Barlyn

(Reuters) – Travelers Cos Inc <TRV.N> plans to stick to its recent growth pace for sales of cyber insurance, which protects businesses against hacking and other liabilities, despite potential to boost it, as the insurer assesses risks in the segment, its head of specialty insurance said on Monday.

“We feel like we’re just in the right spot,” Thomas Kunkel, the insurer’s president of bond and specialty insurance, said during an investor meeting in Connecticut.

Travelers has increased its cyber business at a 40 percent compound annual growth rate since 2011 and could quicken the pace, Kunkel said. “It would not be hard,” he said.

But Travelers must be “respectful and prudent” about the risks involved in cyber, Kunkel said.

Insurers have said the growing sophistication of hackers alongside a still-evolving cyber insurance industry makes it difficult to quantify their potential cyber-related losses.

About three-quarters of cyber policies that Travelers writes cover up to $1 million in damages, while nearly a quarter cover between $1 million and $5 million, the company said.

“We manage our limits very closely,” Kunkel said.

Equifax Inc <EFX.N>, which compiles credit information about consumers and assigns them scores, disclosed in September that cyber criminals had breached its systems between mid-May and late July and stolen the sensitive information of 145.5 million people. The hack is among the largest ever.

Regulation will also drive demand for cyber insurance, particularly in the financial services sector, Fitch Ratings said in a report on Monday.

“As the cyber insurance market develops, competition is likely to erode profit margins,” Fitch said.

Some insurers who ultimately enter the cyber market may lack underwriting experience and take on risks that could exceed their capital, Fitch said.

Events that could trigger large claims include cyber attacks on electronic grids and transportation systems, or hacks of large data storage clouds, Fitch said.

Insurer American International Group Inc <AIG.N> said on Oct. 26 that it was reviewing all types of coverage it offers to gauge its exposure to cyber risk.

AIG will start including cyber coverage as part of its commercial casualty insurance during the first quarter of 2018, Tracie Grella, global head of cyber risk insurance, said at the time.

The move would boost rates but also make it clearer how customers are covered if they are the victim of a security breach.

Many commercial insurers offer stand-alone cyber coverage, but it is not yet a standard addition to most other policies, such as property and casualty.

(Reporting by Suzanne Barlyn in New York; Editing by Lisa Von Ahn and Matthew Lewis)

Nepal bank latest victim in heists targeting SWIFT system

Nepal bank latest victim in heists targeting SWIFT system

By Gopal Sharma

KATHMANDU (Reuters) – A bank in Nepal is the latest victim in a string of cyber heists targeting the global SWIFT bank messaging system, though most of the stolen funds have been recovered, two officials involved in the investigation confirmed on Tuesday.

Hackers last month made about $4.4 million in fraudulent transfers from Kathmandu-based NIC Asia Bank to countries including Britain, China, Japan, Singapore and the United States when the bank was closed for annual festival holidays, according to Nepal media reports.

All but $580,000 of the funds were recovered after Nepal asked other nations to block release of the stolen money, Chinta Mani Shivakoti, deputy governor of the Central Nepal Rastra Bank (NRB), told Reuters.

Brussels-based SWIFT said last month that security controls instituted after last year’s $81 million theft from Bangladesh’s central bank helped thwart some recent hacking attempts, but it warned that cyber criminals continue to target SWIFT customers.

SWIFT or the Society for Worldwide Interbank Financial Telecommunication is a co-operative owned by its user banks. It declined to comment on the NIC Asia Bank hack, saying it does not discuss specific users.

Representatives with NIC Asia Bank, one of dozens of private banks in Nepal, were not available for comment.

The chief of Nepal’s Central Investigation Bureau, Pushkar Karki, confirmed to Reuters that his agency was investigating the theft.

KPMG is also involved in the investigation, according to Nepali media reports. KPMG representatives could not immediately be reached for comment.

The central bank intends to release guidelines on how to thwart such incidents after investigations are completed, according to Shivakoti.

“The incident showed there are some weaknesses with the IT department of the bank,” Shivakoti said.

SWIFT said in a statement on Tuesday that it offers assistance to banks when it learns of potential fraud cases, then shares relevant information with other clients on an anonymous basis.

“This preserves confidentiality, whilst assisting other SWIFT users to take appropriate measures to protect themselves,” it said.

“We have no indication that our network and core messaging services have been compromised,” SWIFT added.

(Reporting by Gopal Sharma, additional reporting by Jeremy Wagstaff in Singapore and Jim Finkle in Toronto; Editing by Richard Balmforth and Matthew Lewis)

Vietnam’s neighbors, ASEAN, targeted by hackers: report

Vietnam's neighbors, ASEAN, targeted by hackers: report

SINGAPORE (Reuters) – A hacking group previously linked to the Vietnamese government or working on its behalf has broken into the computers of neighboring countries as well as a grouping of Southeast Asian nations, according to cybersecurity company Volexity.

Steven Adair, founder and CEO, said the hacking group was still active, and had compromised the website of the Association of Southeast Asian Nations (ASEAN) over several high-profile summit meetings. ASEAN is holding another summit of regional leaders in the Philippines capital Manila this week.

In May, cybersecurity company FireEye reported that the group, which it calls APT32 and is also known as OceanLotus, was actively targeting foreign multinationals and dissidents in Vietnam. FireEye said at the time the group’s activity was “of interest to the nation of Vietnam.”

Adair told Reuters he had no basis to definitely say who was behind the group but said its capabilities rivalled those of most other advanced persistent threat (APT) groups, a term often used to refer to hacker groups that are believed to have state support.

“What we can say is that this is a very well resourced attacker that is able to conduct several simultaneous attack campaigns.”

Vietnamese officials did not immediately respond to requests for comment. But Hanoi has in the past denied accusations of cyber-attacks against organizations or individuals, and said it would prosecute any cases.

Adair said it was not clear how much information the group had stolen. “We do not really have anything on the scale of data theft, but we can tell you the scale and reach of the sites they have compromised is very far reaching,” he said.

Volexity said in a report that the group had compromised websites of ministries or government agencies in Laos, Cambodia and the Philippines so they would load malicious code onto the computers of targeted victims.

This code would then direct them to a Google page which asked for their permission to access their Google account. If the user agrees, the hackers then have access to their contacts and emails.

The ministries included Cambodia’s ministries of foreign affairs, the environment, the civil service and social affairs, as well as its national police. In the Philippines it had compromised the websites of the armed forces and the office of the president.

Three ASEAN websites, and the websites of dozens of Vietnamese non-government groups, individuals and media, were similarly targeted. The group also infected websites belonging to several Chinese oil companies.

Officials at ASEAN’s headquarters in Jakarta were not immediately available for comment.

Kirt Chanthearith, a spokesman for the Cambodian national police, said the police website was hacked about six months ago but he did not know who was responsible. “It was hacked and we lost some data”, he said, without giving further details.

Officials in Thailand said they were not aware of any hacking of government or police websites.

In Manila, Allan Cabanlong, executive director of the Cybercrime Investigation and Coordination Centre, said there was no damage to government web sites in the Philippines but authorities were taking preventive measures.

“We’ve taken measures like cyber hygiene programs,” he told Reuters. “We are conducting due diligence in the Philippines and we are clearing our network.”

(Reporting by Jeremy Wagstaff; Additional reporting by Chansy Chhorn in PHNOM PENH, Matthew Tostevin in HANOI, Patpicha Tanakasempipat and Suphanida Thakral in BANGKOK, Agustinus Beo Da Costa in JAKARTA and Neil Jerome Morales in MANILA; Editing by Raju Gopalakrishnan)

Global Banks fearing North Korea hacking, prepare defenses

Binary code is seen on a screen against a North Korean flag in this illustration photo November 1, 2017.

By Jim Finkle and Alastair Sharp

WASHINGTON/TORONTO (Reuters) – Global banks are preparing to defend themselves against North Korea potentially intensifying a years-long hacking spree by seeking to cripple financial networks as Pyongyang weighs the threat of U.S. military action over its nuclear program, cyber security experts said.

North Korean hackers have stolen hundreds of millions of dollars from banks during the past three years, including a heist in 2016 at Bangladesh Bank that yielded $81 million, according to Dmitri Alperovitch, chief technology officer at cyber security firm CrowdStrike.

Alperovitch told the Reuters Cyber Security Summit on Tuesday that banks were concerned Pyongyang’s hackers may become more destructive by using the same type of “wiper” viruses they deployed across South Korea and at Sony Corp’s &lt;6758.T&gt; Hollywood studio.

The North Korean government has repeatedly denied accusations by security researchers and the U.S. government that it has carried out cyber attacks.

North Korean hackers could leverage knowledge about financial networks gathered during cyber heists to disrupt bank operations, according to Alperovitch, who said his firm has conducted “war game” exercises for several banks.

“The difference between theft and destruction is often a few keystrokes,” Alperovitch said.

Security teams at major U.S. banks have shared information on the North Korean cyber threat in recent months, said a second cyber security expert familiar with those talks.

“We know they attacked South Korean banks,” said the source, who added that fears have grown that banks in the United States will be targeted next.

Tensions between Washington and Pyongyang have been building after a series of nuclear and missile tests by North Korea and bellicose verbal exchanges between U.S. President Donald Trump and North Korean leader Kim Jong Un.

John Carlin, a former U.S. assistant attorney general, told the Reuters summit that other firms, among them defense contractors, retailers and social media companies, were also concerned.

“They are thinking ‘Are we going to see an escalation in attacks from North Korea?'” said Carlin, chair of Morrison &amp; Foerster international law firm’s global risk and crisis management team.

Jim Lewis, a cyber expert with Washington’s Center for Strategic and International Studies, said it is unlikely that North Korea would launch destructive attacks on American banks because of concerns about U.S. retaliation.

Representatives of the U.S. Federal Reserve and the Office of the Comptroller of the Currency, the top U.S. banking regulators, declined to comment. Both have ramped up cyber security oversight in recent years.

 

 

(Reporting by Jim Finkle in Washington and Alastair Sharp in Toronto; additional reporting by Dustin Volz in Washington; editing by Grant McCool)

 

NotPetya hackers likely behind BadRabbit attack: researchers

NotPetya hackers likely behind BadRabbit attack: researchers

By Jack Stubbs

MOSCOW (Reuters) – Technical indicators suggest a cyber attack which hit Russia and other countries this week was carried out by hackers behind a similar but bigger assault on Ukraine in June, security researchers who analyzed the two campaigns said on Wednesday.

Russia-based cyber firm Group-IB said the BadRabbit virus used in this week’s attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.

The BadRabbit attack hit Russia, Ukraine and other countries on Tuesday, taking down Russia’s Interfax news agency and delaying flights at Ukraine’s Odessa airport.

Multiple cyber security investigators have linked the two attacks, citing similarities in the malware coding and hacking methods, but stopped short of direct attribution.

Still, experts caution that attributing cyber attacks is notoriously difficult, as hackers regularly use techniques to cover their tracks and sometimes deliberately mislead investigators about their identity.

Security researchers at Cisco’s Talos unit said BadRabbit bore some similarities with NotPetya as they were both based on the same malware, but large parts of code had been rewritten and the new virus distribution method was less sophisticated.

They confirmed BadRabbit used a hacking tool called Eternal Romance, believed to have been developed by the U.S. National Security Agency (NSA) before being stolen and leaked online in April.

NotPetya also employed Eternal Romance, as well as another NSA tool called Eternal Blue. But Talos said they were used in a different way and there was no evidence Bad Rabbit contained Eternal Blue.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report.

Matthieu Suiche, a French hacker and founder of the United Arab Emirates-based cyber security firm Comae Technologies, said he agreed with the Group-IB assessment that there was “serious reason to consider” that BadRabbit and NotPetya were created by the same people.

But some experts have said the conclusion is surprising as the NotPetya attack is widely thought to have been carried out by Russia, an allegation Moscow denies.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was carried about by a hacking group widely known as Black Energy, which some cyber experts say works in favor of Russian government interests. Moscow has repeatedly denied carrying out cyber attacks against Ukraine.

The majority of BadRabbit’s victims were in Russia, with only a few in other countries such Ukraine, Bulgaria, Turkey and Japan.

Group-IB said some parts of the BadRabbit virus dated from mid-2014, however, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.

(Additional reporting by Eric Auchard; Editing by Jim Finkle/Mark Heinrich)

U.S. warns public about attacks on energy, industrial firms

U.S. warns public about attacks on energy, industrial firms

By Jim Finkle

(Reuters) – The U.S government issued a rare public warning about hacking campaigns targeting energy and industrial firms, the latest evidence that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed via email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Homeland Security and FBI representatives could not be reached for comment on Saturday morning.

Robert Lee, an expert in securing industrial networks, said the report describes activities from two or three groups that have stolen user credentials and spied on organizations in the United States and other nations, but not launched destructive attacks.

“This is very aggressive activity,” said Lee, chief executive of cyber-security firm Dragos.

He said the report appears to describe groups working in the interests of the Russian government, though he declined to elaborate.  Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

Government agencies and energy firms previously declined to identify any of the victims in the attacks described in June’s confidential report.

(Reporting by Jim Finkle in Toronto; Editing by Nick Zieminski)

Merck cyber attack may cost insurers $275 million: Verisk’s PCS

Merck cyber attack may cost insurers $275 million: Verisk's PCS

NEW YORK (Reuters) – Insurers could pay $275 million to cover the insured portion of drugmaker Merck & Co’s loss from a cyber attack in June, according to a forecast by Verisk Analytics Inc’s Property Claim Services (PCS) unit.

Merck, however, has not disclosed the magnitude of its uninsured losses from the “NotPetya” attack, which disrupted production of some Merck medicines and vaccines.

The company was among dozens of firms worldwide hit in the June 27 attack, which began in Ukraine, then rapidly spread through corporate networks of multinationals with operations or suppliers in Eastern Europe.

“Merck has not yet fully quantified its losses, much less given any of its insurers an estimate of the total amount of those losses,” Merck spokeswoman Claire Gillespie said in a statement.

She reiterated that Merck has insurance that would cover some costs, but declined to elaborate or say how much Merck expects to have to pay on its own.

The drugmaker said in July that it had suffered a worldwide disruption of its operations as a result of the malware. It was still in the process of restoring its manufacturing operations a month later.

Merck said then that it was confident it would be able to maintain a continuous supply of its top-selling and life-saving drugs, but warned of temporary delays in delivering some other products.

NotPetya is a destructive virus that spread quickly across computer networks, crippling computers by encrypting hard drives so that machines cannot run. The attacks caused massive disruptions to industrial networks that rely on computers because businesses must individually replace damaged drives, a labor-intensive process.

Cyber insurance can be expensive to buy and is not widely used outside the United States, with one insurer previously describing the cost as $100,000 for $10 million in data breach insurance.

Policies typically cover expenses stemming from a data breach, such as forensics and data restoration, among other costs. Coverage also helps pay for business interruption expenses when a breach or malware attack shuts down a company’s website.

Some companies without cyber insurance have used their policies covering kidnap, ransom and extortion to recoup losses caused by ransomware viruses.

PCS provides estimates on a wide variety of insured losses, ranging from damages caused by hacks to hurricanes and wildfires.

(Reporting by Michael Erman in New York and Noor Zainab Hussain in Bengaluru, additional reporting by Suzanne Barlyn; editing by Jim Finkle and G Crosse)

Researchers uncover flaw that makes Wi-Fi vulnerable to hacks

FILE PHOTO: A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

(Reuters) – Cyber security watchdogs and researchers are issuing warnings over risks associated with a widely used system for securing Wi-Fi communications after the discovery of a flaw that could allow hackers to read information thought to be encrypted, or infect websites with malware.

An alert from the U.S. Department of Homeland Security Computer Emergency Response Team on Monday said the flaw could be used within range of Wi-Fi using the WPA2 protocol to hijack private communications. It recommended installing vendor updates on affected products, such as routers provided by Cisco Systems Inc <CSCO.O> or Juniper Networks Inc <JNPR.N>.

Belgian researchers Mathy Vanhoef and Frank Piessens of Belgian university KU Leuven disclosed the bug in WPA2, which secures modern Wi-Fi systems used by vendors for wireless communications between mobile phones, laptops and other connected devices with Internet-connected routers or hot spots.

“If your device supports Wi-Fi, it is most likely affected,” they said on the www.krackattacks.com website, which they set up to provide technical information about the flaw and methods hackers might use to attack vulnerable devices.

It was not immediately clear how difficult it would be for hackers to exploit the bug, or if the vulnerability has previously been used to launch any attacks.

Finnish security firm F-Secure said experts have long been cautious about Wi-Fi’s ability to withstand security challenges of the 21st century.

“But the worst part of it is that it’s an issue with Wi-Fi protocols, which means it affects practically every single person in the world that uses Wi-Fi networks,” it said on its website.

Microsoft Corp <MSFT.O> said it had released a security update for Windows. Customers who applied the update, or had automatic updates enabled, would already be protected, it said in a statement emailed to Reuters.

CERT New Zealand and CERT India asked users to apply security updates. CERT NZ suggested using ethernet cables and to connect directly into the network, when possible.

“Given the complexity of updating smart devices such as mobile phones, CERT NZ also strongly recommends disabling Wi-Fi when it isn’t required,” it said in its advisory. (http://bit.ly/2gfho2b)

The Wi-Fi Alliance, an industry group that represents hundreds of Wi-Fi technology companies, said the issue “could be resolved through a straightforward software update”.

The group said in a statement it had advised members to release patches quickly and recommended that consumers quickly install those security updates.

(Reporting by Jim Finkle in Toronto and Dustin Volz in Washington; Additional reporting by Aradhana Aravindan in Singapore; Editing by Susan Thomas, Dan Grebler and Jacqueline Wong)