The Jim Bakker Show

SAP pushes to patch risky HANA security flaws before hackers strike

By Eric Auchard

FRANKFURT (Reuters) – Europe’s top software maker SAP said on Tuesday it had patched vulnerabilities in its latest HANA software that had a potentially high risk of giving hackers control over databases and business applications used to run big multinational firms. While hacks on phones, websites and computers that consumers rely on every day grab headlines, vulnerabilities in big business software are more lucrative to attackers as these tools store data and run transactions which are the lifeblood of businesses. The latest security weaknesses, known in industry parlance as “zero day” vulnerabilities, rank among the most critical ever found in HANA, the engine that runs SAP’s latest database, cloud and other more traditional business apps, according to Onapsis, the security company which uncovered these issues.

SAP software acts as the corporate plumbing for many multinationals and the company claims 87 percent of the top 2,000 global companies as customers.

Onapsis said vulnerabilities lay in a HANA component known as “User Self Service” (USS) which would allow malicious insiders or remote attackers to fully compromise vulnerable systems, without so much as valid usernames and passwords.

It reported 10 HANA vulnerabilities to SAP less than 60 days ago, which the German software maker fixed in near-record time, according to interviews with executives of both companies.

The resulting patch issued by SAP on Tuesday was rated by it as 9.8 on a scale of 10, “very high” in terms of relative risk to its customers. SAP is releasing five HANA patches this week to fix a range of vulnerabilities uncovered in recent months.

“SAP has done a great job by releasing fixes much faster than in past situations,” Onapsis Chief Executive Mariano Nunez told Reuters in an interview.

Customers must in turn choose when to apply such patches to software that runs their most critical corporate functions, a process that may take months or years, in rare cases. They must balance security risks against operational demands.

SAP executives urged security managers working for its customers to patch relevant systems.

“There has not been one case where a customer who applied the recommended patches has been affected,” Siddhartha Rao, vice president of SAP Product Security Response, said of the six years he has been on the job. “We currently expect there will not be that many customers affected by these issues,” he said.

Last May, however, the U.S. Department of Homeland Security issued an alert advising SAP customers they needed to urgently plug holes for which SAP already had offered patches in 2010, but which some customers failed to adopt, leaving dozens exposed to hacker break-ins afterward. (http://reut.rs/2mkTVgI)

Three dozen enterprises were found to have telltale signs of unauthorized access due to outdated or misconfigured SAP NetWeaver Java systems, Onapsis said at the time.

Onapsis helps secure more than 200 SAP customers ranging from Schlumberger to Sony Corp, Westinghouse and the U.S. Army. It also identifies security vulnerabilities for corporate customers in rival systems from Oracle.

Giving HANA customers breathing room, the USS component first offered by SAP in October 2014 is not activated by default, but must be specially enabled, Onapsis said.

It has identified two companies – an energy company and a retailer – where vulnerabilities were found and fixed. Companies which are not using USS features are unaffected, Onapsis said.

Technical details can be found on the security blogs of SAP (https://goo.gl/11Dz5w) and Onapsis (https://goo.gl/Xiryyp). There is no evidence hackers have taken advantage so far, the companies said.

Last year, the company issued more than 160 patches in all, SAP said. Ten percent of these were HANA related, Onapsis added.

(Reporting by Eric Auchard; Editing by Stephen Coates)

Consumer Reports to consider cyber security in product reviews

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris April 15, 2014. REUTERS/Mal Langsdon

(Reuters) – Consumer Reports, an influential U.S. non-profit group that conducts extensive reviews of cars, kitchen appliances and other goods, is gearing up to start considering cyber security and privacy safeguards when scoring products.

The group, which issues scores that rank products it reviews, said on Monday it had collaborated with several outside organizations to develop methodologies for studying how easily a product can be hacked and how well customer data is secured.

Consumer Reports will gradually implement the new methodologies, starting with test projects that evaluate small numbers of products, Maria Rerecich, the organization’s director of electronics testing, said in a phone interview.

“This is a complicated area. There is going to be a lot of refinement to get this right,” Rerecich said.

The effort follows a surge in cyber attacks leveraging easy-to-exploit vulnerabilities in webcams, routers, digital video recorders and other connected devices, which are sometimes collectively referred to as the internet of things.

“Personal cyber security and privacy is a big deal for everyone. This is urgently needed,” said Craig Newmark, the founder of Craigslist who sits on the board of directors at Consumer Reports.

In one high-profile October attack, hackers used a piece of software known as Mirai to cripple an internet infrastructure provider, blocking access to PayPal, Spotify, Twitter and dozens of other websites for hours. Another attack in November shut off internet access to some 900,000 Deutsche Telekom customers.

Security researchers have said the attacks are likely to continue because there is little incentive for manufacturers to spend on securing connected devices.

“We need to shed light that this industry really hasn’t been caring about the build quality and software safety,” said Peiter Zatko, a well-known hacker who is director of Cyber Independent Testing Lab, one of the groups that helped Consumer Reports establish the standards.

The first draft of the standards is available online at https://thedigitalstandard.org.

Issues covered in the draft include reviewing whether software is built using best security practices, studying how much information is collected about a consumer and checking whether companies delete all user data when an account is terminated.

Jeff Joseph, senior vice president for the Consumer Technology Association, called the decision by Consumer Reports a “positive step” but cautioned that the group “must be very clear about how they score products and the limitations of what consumers can expect.”

(Reporting by Jim Finkle in Boston; Editing by Peter Cooney and Lisa Shumaker)

Hong Kong police struggle to stop brokerage hacking spree

By Michelle Price

HONG KONG (Reuters) – Hong Kong police are struggling to deal with digital pump-and-dump schemes targeting brokerages – a little-known type of computer-generated fraud that surged in the Chinese territory last year.

Although the money involved was small – only about $20 million worth of shares – there were 81 such incidents reported in 2016, more than triple the number in 2015, according to police.

In the scheme, criminals invest in thinly traded penny stocks and then manipulate their share prices by ordering trades from hacked brokerage accounts. They earn profits by selling before the fraudulent trades are reported.

After last year’s cyber-heist of $81 million at Bangladesh’s central bank and a series of hacks of ATM’s around the world, authorities fear such pump-and-dump schemes could be increasingly used for electronic theft.

Hong Kong is a favored place for such attacks because of the number of thinly-traded penny stocks in the territory and because its securities industry has fallen behind other financial centers in defending against cyber fraud.

At least seven brokers and eight banks have been targeted in Hong Kong, including HSBC Holdings Plc and Bank of China International (BOCI) Securities, according to regulators and people familiar with confidential investigations.

A spokesman for HSBC declined to comment.

A spokeswoman for BOCI Securities said he could not comment on its case but the brokerage would continue to invest in IT security.

“If you ask regulators in the industry what is the number one threat, not surprisingly it’s all about cyber attacks,” Ashley Alder, CEO of the Hong Kong Securities and Futures Commission (SFC) and chairman of the International Organization of Securities Commissions, said in a speech to the local legislature last week.

“We’ve seen that happen not only in banking but also at brokers in Hong Kong, in particular recent attacks to do with basically hijacking share trading accounts.”

Such schemes surfaced more than a decade ago in the United States. Charles Schwab Corp, E*Trade Financial Corp and JP Morgan Chase & Co. were identified as victims of these schemes in a 2006 complaint filed by the Securities and Exchange Commission.

The pace of attacks reported in the United States has slowed in recent years after big brokerages implemented a variety of strategies to thwart the hacks, said John Reed Stark, a former chief of the Securities and Exchange Commission’s (SEC) Office of Internet Enforcement.

Some use algorithms to identify and halt unusual trading activity, others scrutinize Internet traffic for orders coming from suspicious servers and one stopped permitting customers to use its online trading platform from buying penny stocks, said Stark, who now runs cyber-security consulting firm John Reed Stark Consulting LLC.

But such protections are rare in Hong Kong, where the government has only recently started suggesting security improvements to banks and brokerages which have traditionally considered stock trading to be low-risk.

TWO-FACTOR AUTHENTICATION

The Hong Kong SFC last year told firms to increase surveillance of client transactions and data protection.

Authorities believe that hackers accessed brokerage accounts using stolen or guessed passwords, according to investigators. This might have been thwarted if they were protected with two-factor authentication, the Hong Kong Monetary Authority has said.

Two-factor authentication typically includes a password and a piece of information only the user has, for instance an electronic token with changing numbers.

“Hong Kong is being targeted because they have not instituted the same cyber protections that we see in the U.S. and certain parts of Europe,” said Jeff Cramer, a former U.S. prosecutor.

Cramer, who is managing director with cyber-security investigations firm Berkeley Research Group, said he expects to see more attacks in Hong Kong and perhaps other Asian nations, including China, Japan and South Korea that are also behind in cyber security.

FIGHTING BACK

Such pump and dump cases have proven tough to crack in the United States because the masterminds are typically overseas, using surrogates and pseudonyms to make investments.

Brokerages are typically not required to go public when they are hacked, so cases often only surface when the government files a complaint against suspected cyber criminals, or the hack results in litigation.

The attack involving BOCI Securities year became public after it was sued by a customer that claimed its account was breached.

Trading firm Fast Track Holdings Limited alleged in court documents that somebody hacked into its brokerage account on the afternoon of September 23 using a valid user ID and password. Within 18 minutes, the intruder had emptied the account by spending HK$38 million to buy 49 million shares of thinly traded Pa Shun Pharmaceutical, according to Fast Track.

The stock soared more than 30 percent after the purchase, which was made at a 36 percent premium to the previous day’s closing price, Reuters data shows.

BOCI alerted Fast Track of the suspicious activity an hour later, but it has said in court documents it should not be held financially responsible, saying it found no evidence its systems had been compromised.

Peter Pang, Pa Shun’s CFO, told Reuters the management “would keep an eye to the incident and report to the regulators and the public when necessary”.

One person familiar with the case said Fast Track’s management believes the incident was a pump and dump scam and that Pa Shun was targeted because it is thinly-traded, but it remained unclear who was responsible.

Fast Track’s directors did not respond to requests for comment.

(Additional reporting by Jim Finkle in Boston and Jessica Yu, Katy Wong and Donny Kwok in Hong Kong; Editing by Raju Gopalakrishnan)

Austrian parliament says Turkish Islamist hackers claim cyber attack

VIENNA (Reuters) – Austria’s parliament said on Tuesday that a Turkish Islamist hackers’ group had claimed responsibility for a cyber attack that brought down its website for 20 minutes this weekend.

Aslan Neferler Tim (ANT), or Lion Soldiers Team, whose website says it defends the homeland, Islam, the nation and flag, without any party political links, claimed the attack, a parliamentary spokeswoman said.

Relations between Turkey and Austria soured last year after President Tayyip Erdogan cracked down on dissent following a failed coup, and Vienna has since made a solo charge within the European Union for accession talks to be dropped.

On its Facebook page on Sunday afternoon, above a screenshot indicating the website was not loading, ANT said in Turkish: “Our reaction will be harsh in response to this racism of Austria against Muslims!!! (Parliament down).”

ANT says it has carried out “operations” against the pro-Kurdish Peoples’ Democratic Party (HDP), the Austrian central bank and an Austrian airport.

An Interior Ministry spokesman said on Tuesday that an investigation had begun into the cyber attack and, declining to elaborate further, noted that no data had been lost.

A parliamentary spokeswoman said: “ANT has claimed responsibility.” When asked if ANT was responsible, she said: “We assume so.”

The website was brought down after the server was flooded with service requests, a so-called DDoS-attack, similar to an attack last November that targeted the Foreign Affairs and Defense Ministries’ websites, a statement from parliament said.

DDoS attacks are among the most common cyber threats. One such attack targeted the European Commission’s computers in November.

The Vienna-based Organization for Security and Cooperation in Europe (OSCE) was also recently the target of a cyber attack.

(Reporting by Shadia Nasralla, Francois Murphy in VIENNA and Daren Butler in ISTANBUL; Editing by Louise Ireland)

U.S. Treasury holds debt auctions steady, plans cyber test

By Jason Lange

WASHINGTON (Reuters) – The U.S. Treasury announced on Wednesday it will hold the size of coupon auctions steady in the upcoming quarter when it conducts a small “contingency auction” that an official said would test its ability to borrow following a cyber attack.

It was unclear how much of a role, if any, the White House had in crafting the Treasury’s quarterly debt policy statement, which was the first since President Donald Trump took office last month.

The U.S. Senate has yet to confirm Trump’s Treasury secretary nominee, Steven Mnuchin. Several Treasury officials from the Obama administration have left, with their positions filled on a temporary basis by career bureaucrats or political appointees from the last administration.

The latest policy statement was made by Monique Rollins, Treasury’s acting assistant secretary for financial markets and a holdover from the Obama administration. A Treasury official told reporters separately that the new political leadership was aware of the debt policies announced on Wednesday.

Rollins said in the policy statement that Treasury plans to offer $62 billion in notes and bonds next week, raising approximately $17 billion in new cash.

The contingency test was part of regular auction infrastructure testing, Rollins said.

The Treasury official who briefed reporters separately said the test would gauge the government’s ability to borrow money if a cyber attack disrupted normal auctions.

On future coupon sizes, Rollins said the department “will continue to monitor projected financing needs and make appropriate adjustments as necessary.”

(Reporting by Jason Lange; Editing by Paul Simao)

French central bank chief urges insurers to step up cyber risk coverage

PARIS (Reuters) – France’s central bank governor called on French insurers to enhance cyber risk coverage for their clients, as hack attacks and data privacy laws in Europe spur rising demand.

“With the help of reinsurers, insurers should be able to meet demands of cyber risk coverage, a concern that affects all businesses,” Francois Villeroy de Galhau said during a conference in Paris.

Though growing fast, the European cyber insurance market remains dwarfed by that in the United States, but is likely to expand in the coming years as new EU regulations come into force requiring firms to disclose when they have been the victim of an attack.

Around 28 percent of companies in Europe have been subject to a cyber attack over the past 12 months, but only 13 percent of companies have purchased cyber insurance, Marsh & McLennan Co’s (MMC.N) Marsh broker unit said in a survey, published in October 2016.

The value of global cyber insurance premiums outstanding is estimated by Marsh & McLennan Co’s (MMC.N) Marsh broker unit to be around $3.5 billion with 3 billion coming from the United States, and around $300 million coming from Europe.

“Insurance companies should learn from their own experience … in order to create a more mature market in France and Europe for insurance against cyber risks,” Villeroy added.

(Reporting by Maya Nikolaeva and Myriam Rivet; Editing by Leigh Thomas)

Saudi Arabia warns on cyber defense as Shamoon resurfaces

KHOBAR, Saudi Arabia (Reuters) – Saudi Arabia on Monday warned organizations in the kingdom to be on the alert for the Shamoon virus, which cripples computers by wiping their disks, as the labor ministry said it had been attacked and a chemicals firm reported a network disruption.

An alert from the telecoms authority seen by Reuters advised all parties to be vigilant for attacks from the Shamoon 2 variant of the virus that in 2012 crippled tens thousands of computers at oil giant Saudi Aramco.

Shamoon disrupts computers by overwriting the master book record, making it impossible for them to start up. Former U.S. Defense Secretary Leon Panetta said the 2012 Shamoon attack on Saudi Aramco was probably the most destructive cyber attack on a private business.

In the 2012 hacks, images of a burning U.S. flag were used to overwrite the drives of victims including Saudi Aramco and RasGas Co Ltd. In the recent attacks, an image of the body of 3-year-old drowned Syrian refugee Alan Kurdi was used in recent attacks, according to U.S. security researchers.

The Shamoon hackers were likely working on behalf of the Iranian government in the 2012 campaign and the more-recent attacks, said Adam Meyers, vice president with cyber security firm CrowdStrike. “It’s likely they will continue,” he said.

State-controlled Al Ekhbariya TV said on Twitter, using the hash tag #Shamoon, that several Saudi organizations had been targeted in recent cyber attacks.

The state news agency, meanwhile, said the labor ministry had been hit by a cyber attack, but that it did not impact its data.

Jubail-based Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and U.S. company Dow Chemical, said it had experienced a network disruption on Monday morning and was working to resolve the issue.

The company made the disclosure on its official Twitter account after the warning by Al Ekhbariya TV, which cited the telecoms authority.

It did not say whether the disruption was due to a cyber attack but said as a precautionary measure it had stopped all services related to the network.

Other companies in Jubail, the hub of the Saudi petrochemicals industry, also experienced network disruptions, according to sources who were not authorized to publicly discuss the matter.

Those companies sought to protect themselves from the virus by shutting down their networks, said the sources, who declined to identify specific firms.

(Reporting by Reem Shamseddine. Additional reporting by Jim Finkle.; Writing By Maha El Dahan; Editing by Mark Potter and Andrew Hay)

Ukraine’s power outage was a cyber attack: Ukrenergo

Dispatchers at Ukraine's national power company

By Pavel Polityuk, Oleg Vukmanovic and Stephen Jewkes

KIEV/MILAN (Reuters) – A power blackout in Ukraine’s capital Kiev last month was caused by a cyber attack and investigators are trying to trace other potentially infected computers and establish the source of the breach, utility Ukrenergo told Reuters on Wednesday.

When the lights went out in northern Kiev on Dec. 17-18, power supplier Ukrenergo suspected a cyber attack and hired investigators to help it determine the cause following a series of breaches across Ukraine.

Preliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) systems, linked to the 330 kilowatt sub-station “North”, were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed to Reuters.

“The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion,” Ukrenergo said.

Law enforcement officials and cyber experts are still working to compile a chronology of events, draw up a list of compromised accounts, and determine the penetration point, while tracing computers potentially infected with malware in sleep mode, it said.

The comments make no mention of which individual, group or country may have been behind the attack.

“It was an intentional cyber incident not meant to be on a large scale… they actually attacked more but couldn’t achieve all their goals,” said Marina Krotofil, lead cyber-security researcher at Honeywell, who assisted in the investigation.

In December 2015, a first-of-its-kind cyber attack cut the lights to 225,000 people in western Ukraine, with hackers also sabotaging power distribution equipment, complicating attempts to restore power.

Ukrainian security services blamed that attack on Russia.

In the latest attack, hackers are thought to have hidden in Ukrenergo’s IT network undetected for six months, acquiring privileges to access systems and figure out their workings, before taking methodical steps to take the power offline, Krotofil said.

“The team involved had quite a few people working in it, with very serious tools and an engineer who understands the power infrastructure,” she said.

The attacks against Ukraine’s power grid are widely seen by experts as the first examples of hackers shutting off critical energy systems supplying heat and light to millions of homes.

(Writing by Oleg Vukmanovic; reporting by Pavel Polityuk in Kiev, Oleg Vukmanovic and Stephen Jewkes in Milan; editing by Susan Fenton/Ruth Pitchford)

White House voices concerns about China cyber law

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris

WASHINGTON (Reuters) – The White House said on Thursday that it raised concerns about China’s new cyber security law during a meeting with a Chinese official after the latest round of talks between the two countries on cyber crime.

U.S. National Security Adviser Susan Rice met with Chinese State Councilor Guo Shengkun to discuss the importance “of fully adhering” to an anti-hacking accord signed last year between the China and the United States, National Security Council spokesman Ned Price said.

The deal, brokered during Chinese President Xi Jinping’s state visit to Washington in 2015, included a pledge that neither country would knowingly carry out hacking for commercial advantages.

Rice told Guo that the United States was concerned “about the potential impacts” of a law that China adopted in November aimed at combating hacking and terrorism.

Critics of the law say it threatens to shut foreign technology companies out of various sectors deemed “critical,” and includes contentious requirements for security reviews and for data to be stored on servers in China.

Rights advocates also say the law will enhance restrictions on China’s Internet, already subject to the world’s most sophisticated online censorship mechanism, known outside China as the Great Firewall.

Rice met with Guo after the third round of high level talks on cyber security between China and the United States was held on Wednesday.

(Reporting by Ayesha Rascoe; Editing by Alistair Bell)

Russia says foreign spies plan cyber attack on banking system

A hand is silhouetted in front of a computer screen in this picture illustration taken in Berlin

By Christian Lowe and Natalia Zinets

MOSCOW/KIEV (Reuters) – Russia said on Friday it had uncovered a plot by foreign spy agencies to sow chaos in Russia’s banking system via a coordinated wave of cyber attacks and fake social media reports about banks going bust.

Russia’s domestic intelligence agency, the Federal Security Service (FSB), said that the servers to be used in the alleged cyber attack were located in the Netherlands and registered to a Ukrainian web hosting company called BlazingFast.

The attack, which was to target major national and provincial banks in several Russian cities, was meant to start on Dec. 5, the FSB said in a statement.

“It was planned that the cyber attack would be accompanied by a mass send-out of SMS messages and publications in social media of a provocative nature regarding a crisis in the Russian banking system, bankruptcies and license withdrawals,” it said.

“The FSB is carrying out the necessary measures to neutralize threats to Russia’s economic and information security.”

The statement did not say which countries’ intelligence agencies were behind the alleged plot.

SITUATION ‘UNDER CONTROL’

Russia’s central bank said it was aware of the threat and was in constant contact with the security services. In a statement sent to Reuters, it said it had drawn up a plan to counteract any attack.

“The situation is under control. Banks have been given necessary guidance,” the central bank said.

Anton Onoprichuk, director of Kiev-based BlazingFast, said neither the FSB nor any other intelligence agency had been in touch with his company. He told Reuters he was waiting for more information so his firm could investigate.

Asked if his servers could be used to mount a cyber attack he said: “Technically it is possible. It is possible with any hosting company, where you rent a server. You can attack whatever (you want) from it and in 99 percent of cases it will become known only after the event.”

Russia has been on high alert for foreign-inspired cyber attacks since U.S. officials accused the Kremlin of being involved in hacks on Democratic Party emails during the U.S. presidential election.

U.S. Vice President Joe Biden said at the time that the United States would mount a “proportional” response to Russia.

Since then, there have been a number of cyber attacks affecting Russian institutions, though it is unclear if they were linked to the row between Moscow and Washington.

In October, a network of Ukrainian hackers released a cache of emails obtained from the account of an aide to Kremlin adviser Vladislav Surkov.

And on Nov. 11, Russian lenders Sberbank and Alfa Bank said they had been hit by cyber attacks

Sberbank on Friday declined to comment on the FSB’s statement. The press service of VTB, Russia’s second-largest state-run lender, said its security systems guaranteed clients’ transactions were completely protected.

(Additional reporting by Natalia Zinets in KIEV, Elena Fabrichnaya and Kira Zavyalova in MOSCOW; Writing by Christian Lowe; Editing by Andrew Osborn)

Sign up for Jim Bakker Show