Tag Archives: Cyber Security

Trump administration to order agencies to adopt new email security standards

Jeanette Manfra, Acting Deputy Undersecretary for Cybersecurity at the DHS, testifies about Russian interference in U.S. elections to the Senate Intelligence Committee in Washington, U.S., June 21, 2017.

By Dustin Volz

WASHINGTON (Reuters) – The Trump administration on Monday will order federal agencies to adopt common email security standards in an effort to better protect against hackers, a senior Department of Homeland Security official said.

DHS Assistant Secretary for Cybersecurity Jeanette Manfra, speaking at an event in New York, said the agency would issue a binding directive to require implementation of two cyber security measures, known as DMARC and STARTTLS, intended to guard against email spoofing and phishing attacks.

The new requirements are “discrete steps that have scalable, broad impact” that will improve federal government cyber security, Manfra said.

DMARC, or domain-based message authentication, reporting and conformance, is a popular technical standard that helps detect and block email impersonation, such as when a hacker might try to pose as a government official or agency.

STARTTLS is a form of encryption technology that protects email traveling between servers, making it more difficult for a third-party to intercept.

 

(Reporting by Dustin Volz; Editing by Chizu Nomiyama and Bill Trott)

 

IRS puts Equifax contract on hold during security review

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

By John McCrank

NEW YORK (Reuters) – The U.S. Internal Revenue Service has temporarily suspended a contract worth more than $7 million it recently awarded to Equifax Inc following a security issue with the beleaguered credit reporting agency’s website on Thursday.

Equifax, which disclosed last month that cyber criminals breached its systems between mid-May and late July and made off with sensitive data on 145.5 million people, said on Thursday it shut down one of its website pages after discovering that a third-party vendor was running malicious code on the page.

“The IRS notified us that they have issued a stop-work order under our Transaction Support for Identity Management contract,” an Equifax spokesperson said on Friday.

“We remain confident that we are the best party to perform the services required in this contract,” the spokesperson said. “We are engaging IRS officials to review the facts and clarify available options.”

The IRS is the first organization to say publicly that it is suspending a contract with Equifax since the credit reporting agency’s security problems came to light.

Atlanta-based Equifax said its systems were not compromised by the incident on Thursday, which involved bogus pop-up windows on the web page that could trick visitors into installing software that automatically displays advertising material.

Still, the IRS said it decided to temporarily suspended its short-term contract with Equifax for identity-proofing services.

“During this suspension, the IRS will continue its review of Equifax systems and security,” the agency said in a statement. There was no indication that any of the IRS data shared with Equifax under the contract had been compromised, it added.

The move means that the IRS will temporarily be unable to create new accounts for taxpayers using its Secure Access portal, which supports applications including online accounts and transcripts. Users who already had Secure Access accounts will not be affected, the IRS said.

IRS granted the $7.25 million contract to Equifax on Sept. 29, weeks after Equifax disclosed the massive data hack that drew scathing criticism from several lawmakers.

“From its initial announcement, the timing and nature of this IRS-Equifax contract raised some serious red flags … we are pleased to see the IRS suspend its contract with Equifax,” Republican Representatives Greg Walden and Robert Latta said in a joint statement on Friday.

“Our focus now remains on protecting consumers and getting answers for the 145 million Americans impacted by this massive breach,” they said.

Government contracts in areas such as healthcare, law enforcement, social services, and tax and revenue, are major sources of revenue for Equifax.

In 2016, government services made up 5 percent of Equifax’s overall $3.1 billion in revenue, accounting for 10 percent of its workforce solutions revenues, 3 percent of its U.S. information solutions revenues, and 7 percent of its international revenues, according to a regulatory financial filing.

(Reporting by John McCrank in New York; additional reporting by Dustin Volz in Washington; Editing by Bill Rigby)

SWIFT says hackers still targeting bank messaging system

FILE PHOTO : The Swift bank logo is pictured in this photo illustration taken April 26, 2016. REUTERS/Carlo Allegri/File Photo

By Jim Finkle

TORONTO (Reuters) – Hackers continue to target the SWIFT bank messaging system, though security controls instituted after last year’s $81 million heist at Bangladesh’s central bank have helped thwart many of those attempts, a senior SWIFT official told Reuters.

“Attempts continue,” said Stephen Gilderdale, head of SWIFT’s Customer Security Programme, in a phone interview. “That is what we expected. We didn’t expect the adversaries to suddenly disappear.”

The disclosure underscores that banks remain at risk of cyber attacks targeting computers used to access SWIFT almost two years after the February 2016 theft from a Bangladesh Bank account at the Federal Reserve Bank of New York.

Gilderdale declined to say how many hacks had been attempted this year, what percentage were successful, how much money had been stolen or whether they were growing or slowing down.

On Monday, two people were arrested in Sri Lanka for suspected money laundering from a Taiwanese bank whose computer system was hacked to enable illicit transactions abroad. Police acted after the state-owned Bank of Ceylon reported a suspicious transfer.

SWIFT, a Belgium-based co-operative owned by its user banks, has declined comment on the case, saying it does not discuss individual entities.

Gilderdale said that some security measures instituted in the wake of the Bangladesh Bank heist had thwarted attempts.

As an example, he said that SWIFT had stopped some heists thanks to an update to its software that automatically sends alerts when hackers tamper with data on bank computers used to access the messaging network.

SWIFT shares technical information about cyber attacks and other details on how hackers target banks on a private portal open to its members.

Gilderdale was speaking ahead of the organization’s annual Sibos global user conference, which starts on Monday in Toronto.

At the conference, SWIFT will release details of a plan to start offering security data in “machine digestible” formats that banks can use to automate efforts to discover and remediate cyber attacks, he said.

SWIFT will also unveil plans to start sharing that data with outside security vendors so they can incorporate the information into their products, he said.

(Reporting by Jim Finkle, Editing by Rosalba O’Brien)

Equifax takes down web page after reports of new hack

The logo and trading information for Credit reporting company Equifax Inc. are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., September 26, 2017. REUTERS/Lucas Jackson

By John McCrank

NEW YORK (Reuters) – Equifax Inc said on Thursday it has taken one of its customer help web pages offline as its security team looks into reports of another potential cyber breach at the credit reporting company, which recently disclosed a hack that compromised the sensitive information of 145.5 million people.

The move came after an independent security analyst on Wednesday found part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware, the technology news website Ars Technica reported.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax spokesman Wyatt Jefferies said in an email. “Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

The Atlanta-based company, which has faced seething criticism from consumers, regulators and lawmakers over its handling of the earlier breach, said it would provide more information as it becomes available.

Equifax disclosed on Sept. 7 that its systems had been breached between mid-May and late July. In the fallout, the company has parted ways with its chief executive, chief information officer and chief security officer.

The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice.

As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

(Reporting by John McCrank; Editing by Bill Rigby)

Joint Strike Fighter plans stolen in Australia cyber attack

Two Lockheed Martin Corp F-35 stealth fighter jets fly to the Avalon Airshow in Victoria, Australia, March 3, 2017. Australian Defence Force/Handout via REUTERS

By Tom Westbrook

SYDNEY (Reuters) – A hacker stole non-classified information about Australia’s Joint Strike Fighter program and other military hardware last year after breaching the network of a defense contractor, the defense industry minister said on Thursday.

About 30 gigabytes of data was stolen in the cyber attack, including details of the Joint Strike Fighter warplane and P-8 Poseidon surveillance plane, according to a presentation on the hack by a government official.

“Fortunately the data that has been taken is commercial data, not military data … it’s not classified information,” Defence Industry Minister Christopher Pyne told Australian Broadcasting Corporation (ABC) Radio.

“I don’t know who did it.”

In a presentation to a conference in Sydney, an official from the Australian Signals Directorate (ASD) intelligence agency said technical information on smart bombs, the Joint Strike Fighter, the Poseidon maritime patrol aircraft and several naval vessels was stolen.

“The compromise was extensive and extreme,” said the official, Mitchell Clarke, in an audio recording made by a ZDNet journalist and broadcast by the ABC.

Clarke said the attacker accessed the small contractor’s systems for five months in 2016, and the “methodical, slow and deliberate,” choice of target suggested a nation-state actor could be behind the raid.

Australia has agreed to buy 72 Lockheed Martin Corp Joint Strike Fighter planes.

A spokesman for the Australian Cyber Security Centre (ACSC), a government agency, said the government would not release further details about the cyber attack.

The ACSC said in a report on Monday that it responded to 734 cyber attacks on “systems of national interest” for the year ended June 30, and the defense industry was a major target.

The attack on the defense contractor was carried out by a “malicious cyber adversary”, it said.

In 2016 the agency said it responded to 1,095 cyber attacks over an 18-month period, including an intrusion from a foreign intelligence service on the weather bureau.

(Reporting by Tom Westbrook; Editing by Stephen Coates)

U.S. governors, hackers, academics team up to secure elections

FILE PHOTO: A man types into a keyboard during the Def Con hacker convention in Las Vegas, Nevada, U.S. on July 29, 2017. REUTERS/Steve Marcus

By Jim Finkle

(Reuters) – Hackers are joining forces with U.S. governors and academics in a new group aimed at preventing the manipulation of voter machines and computer systems to sway the outcome of future U.S. elections, a source familiar with the project said on Monday.

The anti-hacking coalition’s members include organizers of last summer’s Def Con hacking conference in Las Vegas, the National Governors Association and the Center for Internet Security, said the source, who asked not to be identified ahead of a formal announcement due to be made on Tuesday.

The Washington-based Atlantic Council think tank and several universities are also part of the project, the source said.

The coalition will be unveiled as Def Con organizers release a report describing vulnerabilities in voting machines and related technology that were uncovered in July.

Hackers pulled apart voting machines and election computers at the three-day event, uncovering security bugs that organizers said could be exploited by people trying to manipulate election results.

People at the Las Vegas conference learned to hack voting machines within minutes or just a few hours, according to a copy of the organizers’ report due for release on Tuesday and seen ahead of time by Reuters.

Concerns about election hacking have surged in the United States since late last year, when news surfaced that top U.S. intelligence agencies had determined that Russian President Vladimir Putin ordered computer hacks of Democratic Party emails to help Republican Donald Trump win the Nov. 8 election.

The U.S. Department of Homeland Security has said that Russian hackers targeted 21 U.S. state election systems in the 2016 presidential race and a small number were breached, although some states have disputed they were hacked. There was no evidence that any votes had been manipulated.

Several congressional committees are investigating and special counsel Robert Mueller is leading a separate probe into the Russia matter, including whether the Trump campaign colluded with Moscow.

Russia has denied the accusations.

As one possible counter-measure, organizers of the Def Con hacking conference have recommended that U.S. states reduce the amount of non-American parts and software used in their voting machines, according to the group’s report.

“Via a supply chain originating overseas, voting equipment and software can be compromised at the earliest of stages in manufacturing process,” the report says.

Further details on the members of the anti-hacking coalition were not immediately available.

(Reporting by Jim Finkle in Toronto; Additional reporting by David Ingram in San Francisco; Editing by Jonathan Oatis and Tom Brown)

Exclusive: SEC’s corporate filing system vulnerable to denial of service attacks – memo

FILE PHOTO: The seal of the U.S. Securities and Exchange Commission hangs on the wall at SEC headquarters in Washington, DC, U.S. on June 24, 2011. REUTERS/Jonathan Ernst/File Photo

By Sarah N. Lynch and Jim Finkle

(Reuters) – The U.S. Securities and Exchange Commission (SEC), Wall Street’s top regulator, has discovered a vulnerability in its corporate filing database that could cause the system to collapse, according to an internal document seen by Reuters.

The SEC’s September 22 memo reveals that its EDGAR database, containing financial reports from U.S. public companies and mutual funds, could be at risk of “denial of service” attacks, a type of cyber intrusion that floods a network, overwhelming it and forcing it to close.

The discovery came when the SEC was testing EDGAR’s ability to absorb monthly and annual financial filings that will be required under new rules adopted last year for the $18 trillion mutual fund industry.

The memo shows that even an unintentional error by a company, and not just hackers with malicious intentions, could bring the system down. Even the submission of a large “invalid” form could overwhelm the system’s memory.

The defect comes after the SEC’s admission last month that hackers breached the EDGAR database in 2016.

The discovery will likely add to concerns about the vulnerability of the SEC’s network and whether the agency has been adequately addressing cyber threats.

The mutual fund industry has long had concerns that market-sensitive data required in the new rules could be exploited if it got into the wrong hands.

The industry has since redoubled its calls for SEC Chairman Jay Clayton to delay the data-reporting rules, set to go into effect in June next year, until it is reassured the information will be secure.

“Clearly, the SEC should postpone implementation of its data reporting rule until the security of those systems is thoroughly tested and assessed by independent third parties,” said Mike McNamee, chief public communications officer of The Investment Company Institute (ICI), whose members manage $20 trillion worth of assets in the United States.

“We are confident Chairman Clayton will live up to his pledge that the SEC will take whatever steps are necessary to ensure the security of its systems and the data it collects.”

An SEC spokesman declined to comment.

The rules adopted last year requiring asset managers to file monthly and annual reports about their portfolio holdings were designed to protect them in the event of a market crisis by showing the SEC and investors that they have enough liquidity to cover a rush of redemptions.

During a Congressional hearing on Wednesday, Clayton testified that the agency was considering whether to delay the rules in light of the cyber concerns. He did not, however, mention anything about the denial of service attack vulnerability.

VIRTUAL VOMIT

EDGAR is the repository for corporate America, housing millions of filings ranging from quarterly earnings to statements on acquisitions.

It is a virtual treasure trove for cyber criminals who could trade on any information gleaned before it is publicly released.

In the hack disclosed last month involving EDGAR, the SEC has said it now believes the criminals may have stolen non-public data for illicit trading.

The vulnerability revealed in the September memo shows that even an invalid form could jam up EDGAR.

The system did not immediately reject the form, the memo says. Rather, “it was being validated for hours before failing due to an invalid form type.”

That conclusion could spell trouble for the SEC’s EDGAR database because it means that if hackers wanted to, they could “basically take down the whole EDGAR system” by submitting a malicious data file, said one cyber security expert with experience securing networks of financial regulators who reviewed the letter for Reuters.

“The system would consume the data and essentially throw up on itself,” the person added.

(Reporting by Sarah N. Lynch in Washington and Jim Finkle in Toronto; Editing by Carmel Crimmins)

German companies see threefold rise in cyber attacks, study finds

A man types into a keyboard during the Def Con hacker convention in Las Vegas, Nevada, U.S. on July 29, 2017. REUTERS/Steve Marcus

BERLIN (Reuters) – The number of German companies targeted by cyber attacks in the past three years has tripled compared with the three years to 2015 and the figure is growing steadily, a study showed on Thursday.

From the 450 German companies surveyed by the audit and consulting company EY, 44 percent said they had been spied on. But Bodo Meseke, an expert at EY, said many companies did not notice attacks.

The study found that 67 percent of managers at larger enterprises – those with a turnover of more than one billion euros ($1.17 billion) – expect a significant increase in the number of attacks on their businesses.

Managers see the biggest danger coming from Russia, followed by China, and the United States.

“Recently, the threat increased rapidly again and it comes from different sides. In addition to intelligence services and (business) competitors, organized crime is increasingly becoming an adversary,” Meseke said.

A separate study by the Allensbach polling institute for Deloitte also published on Thursday showed that 27 percent of executives in medium and large companies said their businesses were exposed to IT attacks every day.

Four years ago, 12 percent suffered daily attacks.

The Allensbach study, based on interviews with politicians and companies, found that 97 percent of respondents saw a large-scale hacker attack to be “at least” or “very” probable.

Three-quarters of those questioned perceive a major cyber attack risk that would target infrastructure facilities such as electricity grids or hospitals and just as many contamination by computer viruses.

(Reporting By Riham Alkousaa, editing by David Evans)

U.S. financial regulator must beef up cyber security: inspector

A man poses inside a server room at an IT company in this June 19, 2017 illustration photo. REUTERS/Athit Perawongmetha/Illustration

By Lisa Lambert

WASHINGTON (Reuters) – The U.S. Consumer Financial Protection Bureau (CFPB), one of Wall Street’s top regulators, must strengthen its protections against hacking, according to a report the agency’s internal inspector released on Wednesday as the financial sector reels from recent revelations of two major data breaches.

The former head of the Equifax <EFX.N> credit bureau is testifying before Congress this week about the company’s disclosure that personal information for millions of individuals had been stolen from its systems.

At the same time, the Securities and Exchange Commission – the country’s lead securities regulator – is facing lawmakers’ questions about information stolen last year from its filing system that may have been used for illicit trades.

The CFPB, which gathers sensitive information on individuals, banks, credit card companies and other financial firms as the government’s consumer finance watchdog, could suffer similar intrusions that might undermine public trust or limit its ability to carry out its mission, its inspector general said in a report dated Sept. 27 and released on Wednesday.

The agency “has not fully implemented processes, such as data loss prevention technologies, within its internal network that would enable the agency to detect and better protect against unauthorized access to and disclosure of its sensitive information,” the report said.

It also needs to run automated feeds through security checks and move away from manually tracking system security by putting alerts and continuous monitoring tools in place, the inspector general found.

In the five years since it was established, the CFPB has had to quickly erect sound information systems that can repel cyber attacks. All federal agencies are struggling to keep up with a steady rise in the number and sophistication of attempted intrusions, as criminal demand for stolen Social Security numbers and other personally identifiable information swells.

The inspector general also said the CFPB will soon implement a job succession plan to try to close possible staffing and skill gaps, hopefully clarifying what the future holds after Richard Cordray, the CFPB’s first director, leaves the agency.

Cordray, whose term expires in July, was appointed by President Barack Obama after the agency was created under the 2010 Dodd-Frank financial reform law.

Many expect him to depart earlier, however, and there is no precedent for replacing him.

President Donald Trump will likely appoint a successor who cuts back on the agency’s reach, raising questions about the direction of open CFPB investigations and rulemakings.

(Reporting by Lisa Lambert, editing by G Crosse)

Rising hacker threat will trigger boom in cyber crime insurance, Tryg says

People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. REUTERS/Dado Ruvic

COPENHAGEN (Reuters) – Insurer Tryg <TRYG.CO> expects 90 percent of its corporate customers to buy cyber crime insurance within five years as the threat from hackers and viruses to crucial data and IT systems grows.

Tryg, Denmark’s biggest insurer, has sold 5,000 cyber crime insurance policies since the turn of the year when it launched a new product providing assistance in restoring data and getting systems up and running if a firm is hit by a cyber attack.

“There are no corporate clients today that don’t have insurance on their buildings or cars, but I think that within a very few years it will be just as evident that you should insure against cyber crime,” chief executive Morten Hubbe told Reuters on Wednesday.

The initial rise in demand for cyber insurance was prompted by the ransomware attack, named “Wannacry”, that infected more than 300,000 computers worldwide in May.

He estimated that around 50 percent of the firm’s corporate clients would buy such an insurance by 2020 and from that point it would only take “a couple of years” to reach 90 percent.

Tryg’s two business segments for small and medium size businesses and larger corporate customers accounts for 44 percent of the group’s total premium income.

“The biggest risk to us is that significantly more customers get hit than we believe and that it gives us a huge economic loss,” said Hubbe.

While the firm has good insight into how often a house burns down or a bicycle is stolen on average, the frequency and extent of cyber crimes is hard to predict.

Tryg will also offer extensions to the basic insurance that cover consequential losses, back-up of data and a so-called DNS box aimed at blocking web pages known to contain viruses and malware.

For the big industrial players, Tryg would look to cooperate with global reinsurers to spread the risk when big companies lose revenues in connection with cyber attacks.

The world’s biggest container shipping firm Maersk Line <MAERSKb.CO> saw a $2-300 million bill from a June cyber attack that disrupted its operations for weeks.

(Reporting by Stine Jacobsen; editing by Ken Ferris)