U.S. senators to introduce bill to secure ‘internet of things’

A man takes part in a hacking contest during the Def Con hacker convention in Las Vegas, Nevada, U.S. on July 29, 2017. REUTERS/Steve Marcus

By Dustin Volz

SAN FRANCISCO (Reuters) – A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects – known in the tech industry as the “internet of things” – which experts have long warned poses a threat to global cyber security.

The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.

Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.

“We’re trying to take the lightest touch possible,” Warner told Reuters in an interview. He added that the legislation was intended to remedy an “obvious market failure” that has left device manufacturers with little incentive to build with security in mind.

The legislation would allow federal agencies to ask the U.S. Office of Management and Budget for permission to buy some non-compliant devices if other controls, such as network segmentation, are in place.

It would also expand legal protections for cyber researchers working in “good faith” to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws.

Security researchers have long said that the ballooning array of online devices including cars, household appliances, speakers and medical equipment are not adequately protected from hackers who might attempt to steal personal information or launch sophisticated cyber attacks.

Between 20 billion and 30 billion devices are expected to be connected to the internet by 2020, researchers estimate, with a large percentage of them insecure.

Though security for the internet of things has been a known problem for years, some manufacturers say they are not well equipped to produce cyber secure devices.

Hundreds of thousands of insecure webcams, digital records and other everyday devices were hijacked last October to support a major attack on internet infrastructure that temporarily knocked some web services offline, including Twitter, PayPal and Spotify.

The new legislation includes “reasonable security recommendations” that would be important to improve protection of federal government networks, said Ray O’Farrell, chief technology officer at cloud computing firm VMware.

(Reporting by Dustin Volz; Editing by Bill Rigby)

U.S. Justice Department shuts down dark web bazaar AlphaBay

FILE PHOTO: The Department of Justice (DOJ) logo is pictured on a wall after a news conference in New York December 5, 2013. REUTERS/Carlo Allegri

By Dustin Volz

WASHINGTON (Reuters) – The U.S. Justice Department said on Thursday it had shut down the dark web marketplace AlphaBay, working with international partners to knock offline the site accused of allowing a global trade in drugs, firearms, computer hacking tools and other illicit goods.

Authorities said the law enforcement action was one of the largest ever taken against criminals on the dark web, part of the internet that is accessible only through certain software and typically used anonymously.

AlphaBay allowed users to sell and buy opioids, including fentanyl and heroin, contributing to a rising drug epidemic in the United States, Attorney General Jeff Sessions said at a news briefing in Washington, D.C. to announce the action.

“The dark net is not a place to hide,” Sessions said. “This is likely one of the most important criminal investigations of the year – taking down the largest dark net marketplace in history.

The move struck a blow to an international drug trade that has increasingly moved online in recent years, though some experts thought its impact would be limited.

“The takedown of AlphaBay is significant, but it’s a bit of a whac-a-mole,” said Frank Cilluffo, director of the Center for Cyber and Homeland Security at George Washington University.

Criminals, he said, “are going to flock to other places.”

AlphaBay mysteriously went offline earlier this month, prompting speculation among its users that authorities had seized the site. It was widely considered the biggest online black market for drugs, estimated to host daily transactions totaling hundreds of thousands of dollars.

The Justice Department said law enforcement partners in the Netherlands had taken down Hansa Market, another dark web marketplace.

AlphaBay and Hansa Market were two of the top three criminal marketplaces on the dark web, Europol chief Rob Wainwright said at the press conference.

The international exercise to seize AlphaBay’s servers also involved authorities in Thailand, Lithuania, Canada, Britain and France.

The operation included the arrest on July 5 of suspected AlphaBay founder Alexandre Cazes, a Canadian citizen arrested on behalf of the United States in Thailand.

Cazes was logged on to AlphaBay at the time of his arrest, allowing authorities to find his passwords and other information about the site’s servers, according to legal documents.

Cazes, 25, apparently took his life a week later while in Thai custody, the Justice Department said. He faced charges relating to narcotics distribution, identity theft, money laundering and related crimes.

FBI Acting Director Andrew McCabe said AlphaBay was ten times as large as Silk Road, a similar dark website the agency shut down in 2013.

About a year later, AlphaBay was launched, growing quickly in size and allowing users to browse goods via the anonymity service Tor and to purchase them with bitcoin currency.

(Additional reporting by Doina Chiacu and Julia Edwards Ainsley; Editing by Bernadette Baum)

Foreign hackers probe European critical infrastructure networks

Cables and computers are seen inside a data centre at an office in the heart of the financial district in London, Britain

By Mark Hosenball

LONDON (Reuters) – Cyber attackers are regularly trying to attack data networks connected to critical national infrastructure systems around Europe, according to current and former European government sources with knowledge of the issue.

The sources acknowledged that European infrastructure data networks face regular attacks similar to those which the Washington Post newspaper said on Sunday had been launched by Russian government hackers against business systems of U.S. nuclear power and other companies involved in energy production.

One former senior British security official said it was an “article of faith” that Russian government hackers were seeking to penetrate UK critical infrastructure though the official said he could not cite public case studies.

A European security source acknowledged that UK authorities were aware of the latest reports about infrastructure hacking attempts and that British authorities were in regular contact with other governments over the attacks.

UK authorities declined to comment on the extent of any such attempted or successful attacks in Britain or elsewhere in Europe or to discuss what possible security measures governments and infrastructure operators might be taking.

The Washington Post said recent attempted Russian hacking attacks on infrastructure related systems in the United States appeared to be an effort to “assess” such networks.

But there was no evidence that hackers had actually penetrated or disrupted key systems controlling operations at nuclear plants.

The Post cited several U.S. and industry officials saying that this was the first time hackers associated with the Russian government are known to have tried to get into US nuclear power companies.

The newspaper said that in late June the Federal Bureau of Investigations (FBI) and the U.S. Homeland Security Department warned energy companies that unnamed foreign hackers were trying to steal login and password information so they could hack into networks.

U.S. officials have acknowledged that many key computer systems which run critical infrastructure ranging from power grids to transportation networks originally were not built with strong security protection against outside hackers.

Security experts in the U.S. and Europe acknowledge that the development and evolution of security measures to protect critical infrastructure system against outside intruders has often run behind the ability of hackers to invent tools to get inside such systems.

 

(Editing by Richard Balmforth)

 

Facebook beats privacy lawsuit in U.S. over user tracking

The Facebook logo is displayed on their website

By Jonathan Stempel

(Reuters) – A U.S. judge has dismissed nationwide litigation accusing Facebook Inc of tracking users’ internet activity even after they logged out of the social media website.

In a decision late on Friday, U.S. District Judge Edward Davila in San Jose, California said the plaintiffs failed to show they had a reasonable expectation of privacy, or that they suffered any “realistic” economic harm or loss.

The plaintiffs claimed that Facebook violated federal and California privacy and wiretapping laws by storing cookies on their browsers that tracked when they visited outside websites containing Facebook “like” buttons.

But the judge said the plaintiffs could have taken steps to keep their browsing histories private, and failed to show that Menlo Park, California-based Facebook illegally “intercepted” or eavesdropped on their communications.

“The fact that a user’s web browser automatically sends the same information to both parties,” meaning Facebook and an outside website, “does not establish that one party intercepted the user’s communication with the other,” Davila wrote.

Lawyers for the plaintiffs did not immediately respond on Monday to requests for comment. Facebook did not immediately respond to a similar request.

Davila said the plaintiffs cannot bring their privacy and wiretapping claims again, but can try to pursue a breach of contract claim again. He had dismissed an earlier version of the 5-1/2-year-old case in October 2015.

The case is In re: Facebook Internet Tracking Litigation, U.S. District Court, Northern District of California, No. 12-md-02314.

 

(Reporting by Jonathan Stempel in New York; Editing by Bill Rigby)

 

Exclusive: Fake online stores reveal gamblers’ shadow banking system

A screen grab of the home page of website www.myfabricfactory.com taken June 20, 2017. www.myfabricfactory.com via Reuters

By Alasdair Pal

LONDON (Reuters) – A network of dummy online stores offering household goods has been used as a front for internet gambling payments, a Reuters examination has found.

The seven sites, operated out of Europe, purport to sell items including fabric, DVD cases, maps, gift wrap, mechanical tape, pin badges and flags. In fact, they are fake outlets, part of a multinational system to disguise payments for the $40 billion global online gambling industry, which is illegal in many countries and some U.S. states.

The findings raise questions about how e-commerce is policed worldwide. They also underline a strategy which fraud specialists say regulators, card issuers and banks have yet to tackle head-on.

That strategy is “transaction laundering” – when one online merchant processes payment card transactions on behalf of another, which can help disguise the true nature of payments.

Credit card companies including Visa and Mastercard require all online purchases to be coded so they can see what type of purchase is being processed and block it if it is illegal in a particular country. The codes are known as Merchant Category Codes. Gambling transactions, for example, are given the code of 7995 and subject to extra scrutiny.

The scheme found by Reuters involved websites which accepted payments for household items from a reporter but did not deliver any products. Instead, staff who answered helpdesk numbers on the sites said the outlets did not sell the product advertised, but that they were used to help process gambling payments, mostly for Americans.

Categorising a gambling transaction as a purchase of something else is against the rules of card issuers including Visa and Mastercard, the card companies said in response to Reuters’ findings.

“Transaction laundering is serious misconduct – often criminal,” said Dan Frechtling, head of product at G2 Web Services, a financial compliance company which works with leading banks and card issuers. “It violates the merchant’s agreement with its acquirer, allows prohibited goods and services to enter the payment system, and may flout anti-money laundering laws.”

Three other fraud experts consulted by Reuters said transaction laundering helps online merchants trade in areas that credit card issuers and banks may otherwise bar as “high risk,” such as gaming, pornography or drugs. Some of them say thousands of online merchants may be using similar techniques to move billions of dollars that card companies would otherwise block.

“It is the digital evolution of money laundering,” said Ron Teicher, CEO of Evercompliant, a cyber-intelligence firm that works with banks to identify suspect sites. “The only thing is it is much easier to do, and much harder to get caught.”

GATEWAY FOR GAMBLERS

The dummy stores came to Reuters’ attention in late 2016, when an anonymous document posted on the internet pointed to three online outlets that advertised products but did not actually deliver any. In December, a reporter placed an order for a yard of burlap cloth on one of the sites, myfabricfactory.com, a website run by a UK company called Sarphone Ltd. The fabric, advertised in U.S. dollars at $6.48 per yard, has “many uses including lightweight drapes,” the website says. Sarphone did not respond to requests for comment.

This order went unmet. After a few weeks an email from My Fabric Factory arrived saying the product was out of stock. The payment was refunded.

When a reporter called the helpline number given on the site, the call was answered by someone who gave her name as Anna Richardson. She said she was employed by Agora Online Services, a payment services provider. Payment services providers (PSPs) verify, process and code card transactions.

Richardson said Agora processes payments for poker and works with “hundreds” of online gambling sites. Asked which references on the reporter’s card statement would be for online gambling, Richardson said, “If you have been using a betting site of any sort … they are normally processed by us.”

It was not possible to verify Richardson’s identity. The My Fabric Factory email came from Agora’s email address, info@agrsupport.net. Agora, headquartered in Iceland and linked to companies from the UK to Germany, is owned by a Mauritius-based company, DueXX Ltd, according to Orbis, a company database. Andrej Brandt, one of two directors of Agora and listed as the sole point of contact on DueXX’s website, declined to comment.

“Thank you very much for your interest but I don’t like to share my views and insights,” he said via text message after Reuters presented its findings. “I presume you understand.”

The other director of Agora, Joerg Henning, could not be reached.

Reuters placed orders for household products on six other websites, all owned by companies in the UK. All the orders went unfilled and payment was refunded without comment. The sites used the same mail server as one of Agora’s web addresses, agrsupport.net, according to domain name records.

The site helplines were answered by three individuals who all said they worked for Agora, a company that specialized in processing gambling payments. One was the woman who identified herself as Anna Richardson. Another gave her name as Lucy, and the third, who did not give his name, told the reporter, “Most of the people who gamble and end up having our charges on their accounts are Americans. Gambling is illegal in America.” The staff said they were based in Germany.

When Reuters made payments on the seven sites, in each case the reporter’s credit details were processed by Deutsche Payment, a payment processor headquartered in Berlin. Its website says it is certified by the PCI Security Standards Council, a global payment card security body. It was included in Visa Europe’s May 2017 list of approved agents. Deutsche Payment did not respond to requests for comment.

The PCI Security Standards Council said it was up to the card companies to regulate payment processors.

Presented with Reuters’ findings, a spokesperson for Visa said, “We require all gaming sites to be processed under the relevant Merchant Category Code. Our rules are always subject to local law and we do not tolerate criminal activity.”

A spokesperson for Mastercard said: “When we are alerted to activities that may be against our rules or against the law, we work with the merchant’s bank to confirm or investigate the allegation.”

After Reuters approached the payment processing companies, all seven online stores stopped accepting payments, although they remain visible online.

ECOSYSTEM

Illicit gaming is hard to detect, partly because those involved cooperate to hide what they are doing, said Scott Talbot, head of government relations at the ‎Electronic Transactions Association, a trade organization for the payment processing industry that counts some of the world’s largest banks as members.

Also, sites like those found by Reuters are small cogs in a complex global infrastructure.

“Illicit finance is incredibly creative,” said Gregory Lisa, a partner at law firm Hogan Lovells who has worked for the U.S. Treasury Department’s Financial Crimes Enforcement Network and as a trial attorney for the U.S. Department of Justice prosecuting money-laundering and fraud cases. “It is a very difficult arms race between the government and illicit actors and their financiers.”

Fraud specialists say dummy stores like those found by Reuters are not meant to be visited by the normal public. They are designed to be hard to spot, and their role is simply as a shop front to back up the bogus description.

Gambling sites that operate in countries where online gaming is illegal will take payment through their own sites, but then simply program the sites to give a reference to sites like the dummy stores in payment records, the consultancy Evercompliant says.

As far as the gambler is concerned, their payment has gone to the gambling site. Only when they see their card statement do they find a reference to the bogus store. If they visit the store and call the helpline number, the people who answer explain that the transaction actually corresponds to gambling – as Agora staff told the Reuters reporter.

Evercompliant, which has developed proprietary technology to help large banks and finance firms check sites they deal with, analyzed the seven dummy stores at Reuters’ request.

It found they were part of what it called an “ecosystem” of nearly 50 interlinked websites, owned by companies in countries ranging from Georgia to Latvia. It analyzed these sites and said if it had found such a network in a bank’s portfolio of customers, it would suspect transaction laundering, CEO Teicher said.

LOOPHOLES

Such sites get around checks by credit card companies by using loopholes in the system, according to Frechtling at G2.

Some banks rely on payment processors to vet online merchants. While most PSP firms are legitimate, their due diligence can be perfunctory, he said.

“Some PSPs will make a basic anti-money laundering check – for example, using sanctions lists,” he said. “But they may not do a full vetting of you until you start transacting. That is a weak link.

“Transaction laundering directly through a bank doing thorough due diligence would be relatively difficult, but at a PSP that is sponsored by a bank it is often easier.”

It was not possible for Reuters to determine which bank or banks work with Deutsche Payment or Agora.

The UK firms that own the seven dummy online stores were set up by Simon Dowson, whose company formation agency closed down in 2015 after businesses it set up were involved in global scams including money-laundering. Reuters revealed last year how Dowson used residents of the English town of Consett as part of the scheme.

Dowson’s wife, Tanaporn Thompson, also known as Tanaporn Dowson, was named as director of Sarphone Ltd, the owner of My Fabric Factory, for a week in January 2017. She could not be reached.

The person named in the UK company register as having ultimate control of Sarphone is another Consett resident, Emma Chambers. Chambers and Dowson did not respond to requests for comment for this story.

(Additional reporting by Lauren Young in New York and Ragnhildur Sigurdardottir in Reyjkjavik; Edited by Sara Ledwith)

In Russia, state TV and the Internet tell a tale of two protests

Riot police detain a man during an anti-corruption protest organised by opposition leader Alexei Navalny, on Tverskaya Street in central Moscow, Russia. REUTERS/Maxim Shemetov

By Andrew Osborn

MOSCOW (Reuters) – Some of the biggest anti-Kremlin protests in years swept across Russia on Monday with over 1,000 people detained by the police ahead of a presidential election next year. But anyone relying on state TV would have concluded they were a non-event.

Vremya, state TV’s flagship evening news show, relegated news of the protests to item nine of 10, and, in a report lasting around 30 seconds, said less than 2,000 people had shown up in Moscow. Some 150 people had been detained for disobeying the police elsewhere in the city, it said.

The main news of the day, according to Vremya, had instead been President Vladimir Putin’s handing out of state awards.

The Internet, awash with images and videos of police hauling people off across the country and, in at least one case, of a protester being punched, had a different take.

A live feed organized by opposition leader Alexei Navalny, who was detained in Moscow before he could attend what the authorities said was an illegal protest, showed demonstrations in scores of cities from Vladivostok to St Petersburg and thousands of people converging on central Moscow.

Other footage showed some protesters chanting “Russia without Putin” and “Down with the Tsar.”

The competing versions of one day in Vladimir Putin’s Russia highlight the battle being fought between state TV, where most Russians get their news, and the Internet, which Putin critic Navalny is using to try to unseat the veteran Russian leader.

Ahead of a presidential election in March which Putin is expected to contest and that Navalny hopes to run in, the battle for Russians’ hearts and minds is escalating.

On the face of it, the contest is one-sided. Polls show that Putin, who has dominated Russian political life for the last 17 years, will comfortably win if he stands, while a poll last month said only 1 percent would vote for Navalny.

Putin has enjoyed glowing Soviet-style coverage on state TV for almost two decades. Navalny barely gets a look in, and if he does it is inevitably a negative reference.

The Kremlin and top government officials deliberately try not to mention his name, and state TV largely ignored Navalny’s last big protests, in March, too. Dmitry Kiselyov, anchor of Russia’s main weekly TV news show “Vesti Nedeli,” explained then that his show had ignored the demonstrations, the largest since 2012, because he viewed Navalny as a corrupt political chancer.

“Our Western colleagues would have done exactly the same,” said Kiselyov.

Handed a five-year suspended prison sentence in February for embezzlement, Navalny says he is not corrupt and that the conviction was politically-motivated to try to kill off his presidential campaign.

The 41-year-old lawyer has been trying to use the Internet to circumvent what he says is a TV blackout. He has set up his own You Tube channel, which has over 300,000 subscribers, become a prolific social media poster, and regularly circulates clips of himself criticizing Putin, 64, whom he calls “the old man.”

Partly funded by supporters’ campaign contributions, his online push has had some success, particularly among school children and students, though his support base includes older people, too, who typically live in Russia’s big cities.

A video he made accusing Prime Minister Dmitry Medvedev, a Putin ally, of living a luxury lifestyle far outstripping his official salary, has so far racked up more than 22 million online views. Medvedev said the allegations were nonsense.

Navalny’s detractors have gone online too.

A video likening him to Adolf Hitler has racked up over 2 million views on You Tube, as has a music video released ahead of Monday’s protests by pop singer Alisa Voks who urged young fans to “stay out of politics” and do their homework instead.

Businessman Alisher Usmanov, whom Navalny targeted in his Medvedev video, also used the Internet to hit back, making two videos of his own questioning Navalny’s probity.

Navalny’s critics, including some other anti-Kremlin politicians, accuse him of holding dangerously nationalist views and of having denigrated migrants in the past. Navalny says he is able to talk to, and connect with, different parts of the electorate.

Serving out a 30-day jail sentence for his role in organizing Monday’s protests, Navalny has mocked his opponents’ efforts to use the Internet.

He says his Medvedev video has been watched by more people than some TV programs, but for now he says state TV has the upper hand.

“Right now TV is more effective,” he told supporters after his release from jail in April after the last round of protests. “But we’re looking for new methods. We need to keep making videos.”

(Editing by Richard Balmforth)

Oddities in WannaCry ransomware puzzle cybersecurity researchers

Cables and computers are seen inside a data centre at an office in the heart of the financial district in London, Britain May 15, 2017. REUTERS/Dylan Martinez

By Jeremy Wagstaff

SINGAPORE (Reuters) – The WannaCry malware that spread to more than 100 countries in a few hours is throwing up several surprises for cybersecurity researchers, including how it gained its initial foothold, how it spread so fast and why the hackers are not making much money from it.

Some researchers have found evidence they say could link North Korea with the attack, but others are more cautious, saying that the first step is shedding light on even the most basic questions about the malware itself.

For one thing, said IBM Security’s Caleb Barlow, researchers are still unsure exactly how the malware spread in the first place. Most cybersecurity companies have blamed phishing e-mails – e-mails containing malicious attachments or links to files – that download the ransomware.

That’s how most ransomware finds its way onto victims’ computers.

The problem in the WannaCry case is that despite digging through the company’s database of more than 1 billion e-mails dating back to March 1, Barlow’s team could find none linked to the attack.

“Once one victim inside a network is infected it propagates,” Boston-based Barlow said in a phone interview, describing a vulnerability in Microsoft Windows that allows the worm to move from one computer to another.

The NSA used the Microsoft flaw to build a hacking tool codenamed EternalBlue that ended up in the hands of a mysterious group called the Shadow Brokers, which then published that and other such tools online.

But the puzzle is how the first person in each network was infected with the worm. “It’s statistically very unusual that we’d scan and find no indicators,” Barlow said.

Other researchers agree. “Right now there is no clear indication of the first compromise for WannaCry,” said Budiman Tsjin of RSA Security, a part of Dell.

Knowing how malware infects and spreads is key to being able to stop existing attacks and anticipate new ones. “How the hell did this get on there, and could this be repeatedly used again?” said Barlow.

PALTRY RANSOM

Some cybersecurity companies, however, say they’ve found a few samples of the phishing e-mails. FireEye said it was aware customers had used its reports to successfully identify some associated with the attack.

But the company agrees that the malware relied less on phishing e-mails than other attacks. Once a certain number of infections was established, it was able to use the Microsoft vulnerability to propagate without their help.

There are other surprises, that suggest this is not an ordinary ransomware attack.

Only paltry sums were collected by the hackers, according to available evidence, mostly in the bitcoin cryptocurrency.

There were only three bitcoin wallets and the campaign has far earned only $50,000 or so, despite the widespread infections. Barlow said that single payments in some other ransomware cases were more than that, depending on the victim.

Jonathan Levin of Chainalysis, which monitors bitcoin payments, said there were other differences compared to most ransomware campaigns: for instance the lack of sophisticated methods used in previous cases to convince victims to pay up. In the past, this has included hot lines in various languages.

And so far, Levin said, the bitcoin that had been paid into the attackers’ wallets remained there – compared to another campaign, known as Locky, which made $15 million while regularly emptying the bitcoin wallets.

“They really aren’t set up well to handle their bitcoin payments,” Levin said.

The lack of sophistication may bolster those cybersecurity researchers who say they have found evidence that could link North Korea to the attack.

A senior researcher from South Korea’s Hauri Labs, Simon Choi, said on Tuesday the reclusive state had been developing and testing ransomware programs only since August. In one case, the hackers demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall.

Choi, who has done extensive research into North Korea’s hacking capabilities, said his findings matched those of Symantec and Kaspersky Lab, who say some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.

The Lazarus hackers have however been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cybersecurity firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

Whoever is found to be behind the attack, said Marin Ivezic, a cybersecurity partner at PwC in Hong Kong, the way the hackers used freely available tools so effectively may be what makes this campaign more worrying.

By bundling a tool farmed from the leaked NSA files with their own ransomware, “they achieved better distribution than anything they could have achieved in a traditional way” he said.

“EternalBlue (the hacking tool) has now demonstrated the ROI (return on investment) of the right sort of worm and this will become the focus of research for cybercriminals,” Ivezic said.

(Additional reporting Ju-Min Park in Seoul, Editing by Raju Gopalakrishnan)

British hospitals, Spanish firms among targets of huge cyberattack

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A huge cyberattack brought disruption to Britain’s health system on Friday and infected many Spanish companies with malicious software, and security researchers said a dozen other countries may be affected.

Hospitals and doctors’ surgeries in parts of England were forced to turn away patients and cancel appointments. People in affected areas were being advised to seek medical care only in emergencies.

“We are experiencing a major IT disruption and there are delays at all of our hospitals,” said the Barts Health group, which manages major London hospitals. Routine appointments had been canceled and ambulances were being diverted to neighboring hospitals.

Telecommunications giant Telefonica was among the targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services.

Authorities in both countries said the attack was conducted using ‘ransomware’ – malicious software that infects machines, locks them up by encrypting data and demands a ransom to restore access. They identified the type of malware as ‘Wanna Cry’, also known as ‘Wanna Decryptor’.

A Telefonica spokesman said a window appeared on screens of infected computers that demanded payment with the digital currency bitcoin in order to regain access to files.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement. Still, the news prompted security teams at large financial services firms and businesses around the world to review their plans for defending against ransomware attacks, according to executives with private cyber security firms.

A spokeswoman for Portugal Telecom said: “We were the target of an attack, like what is happening in all of Europe, a large scale-attack, but none of our services were affected.”

British based cyber researcher Chris Doman of AlienVault said the ransomware “looks to be targeting a wide range of countries”, with preliminary evidence of infections from 14 countries so far, also including Russia, Indonesia and Ukraine.

PM BRIEFED

A spokesman for British Prime Minister Theresa May said she was being kept informed of the incident, which came less than four weeks before a parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

The full extent of Friday’s disruption in Britain remained unclear.

“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” NHS Digital, the computer arm of the health service, said in a statement.

Britain’s National Cyber Security Centre, part of the GCHQ spy agency, said it was aware of a cyber incident and was working with NHS Digital and the police to investigate.

A reporter from the Health Service Journal said the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

It was not immediately clear how many Spanish organizations had been compromised by the attacks, if any critical services had been interrupted or whether victims had paid cyber criminals to regain access to their networks.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Kate Holton, Andy Bruce, Michael Holden and David Milliken; Editing by Mark Trevelyan and Ralph Boulton)

Islamic State militants developing own social media platform: Europol

A 3D printed logo of Twitter and an Islamic State flag are seen in this picture illustration taken February 18, 2016.

By Michael Holden

LONDON (Reuters) – Islamic State militants are developing their own social media platform to avoid security crackdowns on their communications and propaganda, the head of the European Union’s police agency said on Wednesday.

Europol Director Rob Wainwright said the new online platform had been uncovered during a 48-hour operation against Internet extremism last week.

“Within that operation it was revealed IS was now developing its very own social media platform, its own part of the Internet to run its agenda,” Wainwright told a security conference in London. “It does show that some members of Daesh (IS), at least, continue to innovate in this space.”

During a Europol-coordinated crackdown on IS and al Qaeda material, which involved officials from the United States, Belgium, Greece, Poland, and Portugal, more than 2,000 extremist items were identified, hosted on 52 social media platforms.

Jihadists have often relied on mainstream social media platforms for online communications and to spread propaganda, with private channels on messaging app Telegram being especially popular over the past year.

Technology firms, such as Facebook and Google, have come under increasing political pressure to do more to tackle extremist material online and to make it harder for groups such as Islamic State to communicate through encrypted services to avoid detection by security services.

However, Wainwright said that IS, by creating its own service, was responding to concerted pressure from intelligence agencies, police forces and the tech sector, and were trying to found a way around it.

“We have certainly made it a lot harder for them to operate in this space but we’re still seeing the publication of these awful videos, communications operating large scale across the Internet,” he said, adding he did not know if it would be technically harder to take down IS’s own platform.

Wainwright also said he believed that security cooperation between Britain and the EU would continue after Brexit, despite British warnings it is likely to leave Europol and cease sharing intelligence if it strikes no divorce deal with the bloc.

“The operational requirement is for that to be retained. If anything, “If anything we need to have an even more closely integrated pan-European response to security if you consider the way in which the threat is heading,” he said.

Europe, he added, is facing “the highest terrorist threat for a generation”.

However, Wainwright said there were important legal issues that would have to be thrashed out and it was not easy “to just cut and paste current arrangements”.

“The legal issues have to be worked through and then they have to be worked through within of course the broader political context of the Article 50 negotiations (on Britain’s planned exit from the EU),” he said.

“In the end I hope the grown-ups in the room will realize that … security is one of the most important areas of the whole process. We need to get that right in the collective security interest of Europe as a whole, including of course the United Kingdom.”

(Additional reporting by Eric Auchard; editing by Mark Heinrich)

Turkish court rejects Wikipedia’s appeal over website’s blocking: Anadolu

Turkish court bans Wikipedia

ANKARA (Reuters) – A Turkish court on Friday rejected an appeal by the online encyclopedia Wikipedia against a government decision to block access to its website, the state-run Anadolu news agency said, a case that has heightened concerns about censorship in Turkey.

An Ankara court rejected the appeal from the Wikimedia Foundation, which operates Wikipedia, Anadolu said. It quoted the court as saying that while freedom of speech was a fundamental right, it can be limited in cases where there is a “necessity for regulation”.

Turkey’s telecommunications watchdog said last week that access to Wikipedia had been blocked, citing a law allowing it to ban access to websites deemed a threat to national security.

The block on the site was prompted by two Wikipedia entries accusing Turkey of links to Islamist militant groups, local media have reported. The communications ministry has said Wikipedia was attempting to run a “smear campaign” against the country, saying some articles purported that Ankara was coordinating with militant groups.

The Wikimedia Foundation has called for the Turkish government to restore full access to the site.

(Reporting by Tuvan Gumrukcu; Editing by David Dolan)