Tag Archives: Cyber Security

FBI paid more than $1.3 million to break into San Bernardino iPhone

Apple Logo

By Julia Edwards

WASHINGTON (Reuters) – Federal Bureau of Investigation Director James Comey said on Thursday the agency paid more to get into the iPhone of one of the San Bernardino shooters than he will make in the remaining seven years and four months he has in his job.

According to figures from the FBI and the U.S. Office of Management and Budget, Comey’s annual salary as of January 2015 was $183,300. Without a raise or bonus, Comey will make $1.34 million over the remainder of his job.

That suggests the FBI paid the largest ever publicized fee for a hacking job, easily surpassing the $1 million paid by U.S. information security company Zerodium to break into phones.

Speaking at the Aspen Security Forum in London, Comey was asked by a moderator how much the FBI paid for the software that eventually broke into the iPhone.

“A lot. More than I will make in the remainder of this job, which is seven years and four months for sure,” Comey said. “But it was, in my view, worth it.”

The Justice Department said in March it had unlocked the San Bernardino shooter’s iPhone with the help of an unidentified third party and dropped its case against Apple Inc <AAPL.O>, ending a high-stakes legal clash but leaving the broader fight over encryption unresolved.

Comey said the FBI will be able to use software used on the San Bernardino phone on other 5C iPhones running IOS 9 software.

There are about 16 million 5C iPhones in use in the United States, according to estimates from research firm IHS Technology. Eighty-four percent of iOS devices overall are running iOS 9 software, according to Apple.

The FBI gained access to the iPhone used by Rizwan Farook, one of the shooters who killed 14 people in San Bernardino, California on Dec. 2.

The case raised the debate over whether technology companies’ encryption technologies protect privacy or endanger the public by blocking law enforcement access to information.

(Reporting by Julia Edwards in Washington; additional reporting by Julia Love in San Francisco; Editing by Simon Cameron-Moore)

Trail in cyber heist suggests hackers were Chinese: senator

Bangladesh central bank

By Karen Lema

MANILA (Reuters) – A Philippine senator said on Wednesday that Chinese hackers were likely to have pulled off one of the world’s biggest cyber heists at the Bangladesh central bank, citing the network of Chinese people involved in the routing of the stolen funds through Manila.

Unidentified hackers infiltrated the computers at Bangladesh Bank in early February and tried to transfer a total of $951 million from its account at the Federal Reserve Bank of New York.

All but one of the 35 attempted transfers were to the Rizal Commercial Banking Corp (RCBC), confirming the Philippines’ centrality to the heist.

Most transfers were blocked, but a total of $81 million went to four accounts at a single RCBC branch in Manila. The stolen money was swiftly transferred to a foreign exchange broker and distributed to casinos and gambling agents in Manila.

“The hacking was done, chances are, by Chinese hackers,” Senator Ralph Recto told Reuters in a telephone interview. “Then they saw that, in the Philippines, RCBC particularly was vulnerable and sent the money over here.”

Beijing was quick to denounce the comments by Recto, vice chairman of the Senate Committee on Finance and a former head of the Philippines’ economic planning agency.

The suggestion that Chinese hackers were possibly involved was “complete nonsense” and “really irresponsible,” Chinese foreign ministry spokesman Lu Kang told reporters.

Recto said he couldn’t prove the hackers were Chinese, but was merely “connecting the dots” after a series of Senate hearings into the scandal.

At one hearing, a Chinese casino boss and junket operator called Kim Wong named two high-rolling gamblers from Beijing and Macau who he said had brought the stolen money into the Philippines. He displayed purported copies of their passports, showing they were mainland Chinese and Macau administrative region nationals respectively.

“BEST LEAD”

Wong, a native of Hong Kong who holds a Chinese passport, received almost $35 million of the stolen funds through his company and a foreign exchange broker.

The two Chinese named by Wong “are the best lead to determine who are the hackers,” said Recto. “Chances are… they must be Chinese.”

The whereabouts of the two high-rollers were unknown, Recto added, saying the Senate inquiry “may” seek help from the Chinese government to find them.

Recto also questioned the role of casino junket operators in the Philippines, saying many of them have links in Macau, the southern Chinese territory that is the world’s biggest casino hub. “There are junket operators who are from Macau, so it (the money) may find its way back to Macau,” he said.

A senior executive at a top junket operator in Macau told Reuters there was “no reason” to bring funds from the Philippines to Macau.

“This seems more like a political story in the Philippines,” he said, speaking anonymously because he was not authorized to talk to the media.

The U.S. State Department said in a report last month that the gaming industry was “a weak link” in the Philippines’ anti-money laundering regime.

Philrem, the foreign exchange agent, said it distributed the stolen $81 million to Bloomberry Resorts Corp, which owns and operates the upmarket Solaire casino in Manila; to Eastern Hawaii Leisure Company, which is owned by Wong; and to an ethnic Chinese man believed to be a junket operator in Manila.

Wong has returned $5.5 million to the Philippines’ anti-money laundering agency and has promised to hand over another $9.7 million. A portion of the money he received, he said, has already been spent on gambling chips for clients.

Solaire has told the Senate hearing that the $29 million that ended up with them was credited to an account of the Macau-based high-roller but it has managed to seize and confiscate $2.33 million in chips and cash.

(Writing by Andrew R.C. Marshall; Additional reporting by Farah Master in Hong Kong; Editing by Raju Gopalakrishnan)

U.S. to charge Iranians in cyber attacks, including New York dam

WASHINGTON (Reuters) – The Obama administration is expected to blame Iranian hackers as soon as Thursday for a coordinated campaign of cyber attacks in 2012 and 2013 on a suburban New York City dam and several other targets, sources familiar with the matter have told Reuters.

In one of the largest foreign cyber attack cases since 2014 when the United States charged five Chinese military hackers, the U.S. Justice Department has prepared an indictment against about a half-dozen Iranians, said four sources, who spoke on condition of anonymity due to the sensitivity of the matter.

The charges, related to unlawful access to computers and other alleged crimes, were expected to be announced publicly by U.S. officials as soon as Thursday morning at a news conference in Washington, the sources said.

The indictment was expected to directly link the hacking campaign to the Iranian government, one source said.

Though the breach of back-office computer systems at the Bowman Avenue Dam in Rye Brook, New York has been reported, it was only part of a hacking campaign that was broader than previously known, as the indictment will show, the sources said.

In the intrusion of the dam computers, the hackers did not gain operational control of the floodgates, and investigators believe they were attempting to test their capabilities.

The dam breach coincided roughly with attacks on U.S. financial institutions. Cyber security experts have said these, too, were perpetrated by Iranian hackers against Capital One, PNC Financial Services and SunTrust Bank. Prosecutors were considering including those breaches in the indictment, sources said.

The hackers who were expected to be named in the indictment all reside in Iran, one source said.

The Justice Department declined to comment.

The indictment would be the Obama administration’s latest step to confront foreign cyber attacks on the United States. President Barack Obama accused and publicly condemned North Korea over a 2014 hack on Sony Pictures and vowed to “respond proportionally.” No details were made public of any retaliation.

James Lewis, a cyber security expert with the Center for Strategic and International Studies think tank, said, “We need to make clear that there will be consequences for cyber-attacks and that the Wild West days are coming to an end.”

Two weeks ago, it was widely reported that U.S. prosecutors were preparing an indictment against Iranian hackers related solely to the dam attack.

The broader indictment would come at a time of reduced tensions between the United States and Iran after a landmark 2015 nuclear deal. At the same time, the Obama administration has shown a willingness to confront Tehran for bad behavior.

Charging the Iranian hackers would be the highest-profile move of its type by the Obama administration since the Justice Department in 2014 accused five members of China’s People’s Liberation Army with hacking several Pennsylvania-based companies in an alleged effort to steal trade secrets.

(Reporting by Dustin Volz in Washington and Nate Raymond in New York; additional reporting by Mark Hosenball in Washington and Jim Finkle in Boston; Editing by Kevin Drawbaugh and Jonathan Oatis)

U.S. charges three Syrian hackers, Justice Department says

WASHINGTON (Reuters) – U.S. authorities have charged three Syrian nationals who are current or former members of the Syrian Electronic Army with multiple conspiracies related to computer hacking, the U.S. Justice Department said on Tuesday.

Ahmad Umar Agha, 22, and Firas Dardar, 27, were charged with a criminal conspiracy that included “a hoax regarding a terrorist attack” and “attempting to cause mutiny of the U.S. armed forces,” the department said in a statement. Dardar and Peter Romar, 36, were separately charged with other conspiracies, it said.

The FBI announced on Tuesday it was adding Agha and Dardar to its Cyber Most Wanted list and offering a reward of $100,000 for information leading to their arrest, the statement said.

Agha and Dardar, who are believed to reside in Syria, began their criminal activities in or around 2011 under the name of the Syrian Electronic Army in support of the Syrian government, the statement said.

In June 2015, the U.S. Army said it temporarily took down its website after the Syrian Electronic Army hacked into the site and posted messages.

(Reporting by Washington Newsroom)

U.S. says it may not need Apple to open San Bernardino iPhone

(Reuters) – U.S. prosecutors said Monday that a “third party” had presented a possible method for opening an encrypted iPhone used by one of the San Bernardino shooters, a development that could bring an abrupt end to the high-stakes legal showdown between the government and Apple Inc.

A federal judge in Riverside, California, late Monday agreed to the government’s request to postpone a hearing scheduled for Tuesday so that the FBI could try the newly discovered technique. The Justice Department said it would update the court on April 5.

The government had insisted until Monday that it had no way to access the phone used by Rizwan Farook, one of the two killers in the December massacre in San Bernardino, California, except to force Apple to write new software that would disable the password protection.

The Justice Department last month obtained a court order directing Apple to create that software, but Apple has fought back, arguing that the order is an overreach by the government and would undermine computer security for everyone.

The announcement on Monday that an unnamed third party had presented a way of breaking into the phone on Sunday – just two days before the hearing and after weeks of heated back-and-forth in court filings – drew skepticism from many in the tech community who have insisted that there were other ways to get into the phone.

“From a purely technical perspective, one of the most fragile parts of the government’s case is the claim that Apple’s help is required to unlock the phone,” said Matt Blaze, a professor and computer security expert at the University of Pennsylvania. “Many in the technical community have been skeptical that this is true, especially given the government’s considerable resources.”

Former prosecutors and lawyers supporting Apple said the move suggested that the Justice Department feared it would lose the legal battle, or at minimum would be forced to admit that it had not tried every other way to get into the phone.

In a statement, the Justice Department said its only interest has always been gaining access to the information on the phone and that it had continued to explore alternatives even as litigation began. It offered no details on the new technique except that it came from a non-governmental third party, but said it was “cautiously optimistic” it would work.

“That is why we asked the court to give us some time to explore this option,” a spokeswoman for the Justice Department, Melanie R. Newman, said. “If this solution works, it will allow us to search the phone and continue our investigation into the terrorist attack that killed 14 people and wounded 22 people.”

It would also likely end the case without a legal showdown that many had expected to reach the U.S. Supreme Court.

An Apple executive told reporters on a press call that the company knew nothing about the Justice Department’s possible method for getting into the phone, and that the government never gave any indication that it was continuing to search for such solutions.

The executive characterized the Justice Department’s admission Monday that it never stopped pursuing ways to open the phone as a sharp contrast with its insistence in court filings that only Apple possessed the means to do so.

Nate Cardozo, staff attorney at the Electronic Frontier Foundation, a civil liberties group backing Apple, said the San Bernardino case was the “hand-chosen test case” for the government to establish its authority to access electronic information by whatever means necessary.

In that context, he said, the last-minute discovery of a possible solution and the cancellation of the hearing is “suspicious,” and suggests the government might be worried about losing and setting a bad precedent.

But George Washington University law professor Orin Kerr, a former Justice Department computer crime prosecutor, said the government was likely only postponing the fight.

“The problem is not going away, it’s just been delayed for a year or two,” he said.

Apple said that if the government was successful in getting into the phone, which might involve taking advantage of previously undiscovered vulnerabilities, it hoped officials would share information on how they did so. But if the government drops the case it would be under no obligation to provide information to Apple.

In opposing the court order, Apple’s chief executive, Tim Cook, and his allies have argued that it would be unprecedented to force a company to develop a new product to assist a government investigation, and that other law enforcement agencies around the world would rapidly demand similar services.

Law enforcement officials, led by Federal Bureau of Investigation Director James Comey, have countered that access to phones and other devices is crucial for intelligence work and criminal investigations.

The government and the tech industry have clashed for years over similar issues, and Congress has been unable to pass legislation to address the impasse.

(Reporting by Joseph Menn, additional reporting by Mari Saito; Editing by Leslie Adler and Andrew Hay)

Number of U.S. government ‘cyber incidents’ jumps in 2015

WASHINGTON (Reuters) – The U.S. government was hit by more than 77,000 “cyber incidents” like data thefts or other security breaches in fiscal year 2015, a 10 percent increase over the previous year, according to a White House audit.

Part of the uptick stems from federal agencies improving their ability to identify and detect incidents, the annual performance review from the Office and Management and Budget said.

The report, released on Friday, defines cyber incidents broadly as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.” Only a small number of the incidents would be considered as significant data breaches.

National security and intelligence officials have long warned that cyber attacks are among the most serious threats facing the United States. President Barack Obama asked Congress last month for $19 billion for cyber security funding across the government in his annual budget request, an increase of $5 billion over the previous year.

The government’s Office of Personnel Management was victim of a massive hack that began in 2014 and was detected last year. Some 22 million current and former federal employees and contractors in addition to family members had their Social Security numbers, birthdays, addresses and other personal data pilfered in the breach.

That event prompted the government to launch a 30-day “cyber security sprint” to boost cyber security within each federal agency by encouraging adoption of multiple-factor authentication and addressing other vulnerabilities.

“Despite unprecedented improvements in securing federal information resources … malicious actors continue to gain unauthorized access to, and compromise, federal networks, information systems, and data,” the report said.

(Reporting by Dustin Volz; Editing by Alistair Bell)

FBI warns automakers, owners about vehicle hacking risks

WASHINGTON (Reuters) – The FBI and U.S. National Highway Traffic Safety Administration (NHTSA) issued a bulletin Thursday warning that motor vehicles are “increasingly vulnerable” to hacking.

“The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” the agencies said in the bulletin.

In July 2015, Fiat Chrysler Automobiles NV recalled 1.4 million U.S. vehicles to install software after a magazine report raised concerns about hacking, the first action of its kind for the auto industry.

Also last year, General Motors Co issued a security update for a smartphone app that could have allowed a hacker to take control of some functions of a plug-in hybrid electric Chevrolet Volt, like starting the engine and unlocking the doors.

In January 2015, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have doors remotely opened by hackers.

“While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk,” the FBI bulletin said Thursday.

NHTSA Administrator Mark Rosekind told reporters in July 2015 that automakers must move fast to address hacking issues.

The Fiat Chrysler recall came after Wired magazine reported hackers could remotely take control of some functions of a 2014 Jeep Cherokee, including steering, transmission and brakes. NHTSA has said there has never been a real-world example of a hacker taking control of a vehicle.

Two major U.S. auto trade associations — the Alliance of Automobile Manufacturers and Association of Global Automakers — late last year opened an Information Sharing and Analysis Center. The groups share cyber-threat information and potential vulnerabilities in vehicles.

The FBI bulletin Thursday warned that criminals could exploit online vehicle software updates by sending fake “e-mail messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could be tricked into clicking links to malicious Web sites or opening attachments containing malicious software.”

(Reporting by David Shepardson; Editing by Kenneth Maxwell)

Cyber criminals snap up expired domains to serve malicious ads

(Reuters) – Expired domain names are becoming the latest route for cyber criminals to find their way into the computers of unsuspecting users.

Cyber criminals launched a malicious advertising campaign this week targeting visitors of popular news and entertainment websites after gaining ownership of an expired web domain of an advertising company.

Users visiting the websites of the New York Times, Newsweek, BBC and AOL, among others, may have installed malware on their computers if they clicked on the malicious ads.

Bresntsmedia.com, the website used by hackers to serve up malware, expired on Jan. 1 and was registered again on March 6 by a different buyer, security researchers at Trustwave SpiderLabs wrote in a blog. (http://bit.ly/1Ubu21f)

Buying the domain of a small but legitimate ad company provided the criminals with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, the researchers said.

New York Times spokesman Jordan Cohen said the company was investigating if the attack had any impact. “To be clear, this is impacting ads from third parties that are beyond our control.”

Newsweek, BBC and AOL could not be immediately reached for comment.

The researchers also found two more expired “media”-related domains – envangmedia.com and markets.shangjiamedia.com – used by the same cyber criminals.

The people behind the campaign may be on keeping a watch for expired domains with the word “media” in them, they said.

(Reporting by Supantha Mukherjee and Abhirup Roy in Bengaluru; Editing by Saumyadeb Chakrabarty)

Chinese hackers behind U.S. ransomware attacks, security firms say

(Reuters) – Hackers using tactics and tools previously associated with Chinese government-supported computer network intrusions have joined the booming cyber crime industry of ransomware, four security firms that investigated attacks on U.S. companies said.

Ransomware, which involves encrypting a target’s computer files and then demanding payment to unlock them, has generally been considered the domain of run-of-the-mill cyber criminals.

But executives of the security firms have seen a level of sophistication in at least a half dozen cases over the last three months akin to those used in state-sponsored attacks, including techniques to gain entry and move around the networks, as well as the software used to manage intrusions.

“It is obviously a group of skilled of operators that have some amount of experience conducting intrusions,” said Phil Burdette, who heads an incident response team at Dell SecureWorks.

Burdette said his team was called in on three cases in as many months where hackers spread ransomware after exploiting known vulnerabilities in application servers. From there, the hackers tricked more than 100 computers in each of the companies into installing the malicious programs.

The victims included a transportation company and a technology firm that had 30 percent of its machines captured.

Security firms Attack Research, InGuardians and G-C Partners, said they had separately investigated three other similar ransomware attacks since December.

Although they cannot be positive, the companies concluded that all were the work of a known advanced threat group from China, Attack Research Chief Executive Val Smith told Reuters.

The ransomware attacks have not previously been reported. None of the companies that were victims of the hackers agreed to be identified publicly.

Asked about the allegations, China’s Foreign Ministry said on Tuesday that if they were made with a “serious attitude” and reliable proof, China would treat the matter seriously.

But ministry spokesman Lu Kang said China did not have time to respond to what he called “rumors and speculation” about the country’s online activities.

The security companies investigating the advanced ransomware intrusions have various theories about what is behind them, but they do not have proof and they have not come to any firm conclusions.

Most of the theories flow from the possibility that the Chinese government has reduced its support for economic espionage, which it pledged to oppose in an agreement with the United States late last year. Some U.S. companies have reported a decline in Chinese hacking since the agreement.

Smith said some government hackers or contractors could be out of work or with reduced work and looking to supplement their income via ransomware.

It is also possible, Burdette said, that companies which had been penetrated for trade secrets or other reasons in the past were now being abandoned as China backs away, and that spies or their associates were taking as much as they could on the way out. In one of Dell’s cases, the means of access by the team spreading ransomware was established in 2013.

The cyber security experts could not completely rule out more prosaic explanations, such as the possibility that ordinary criminals had improved their skills and bought tools previously used only by governments.

Dell said that some of the malicious software had been associated by other security firms with a group dubbed Codoso, which has a record of years of attacks of interest to the Chinese government, including those on U.S. defense companies and sites that draw Chinese minorities.

PAYMENT IN BITCOIN

Ransomware has been around for years, spread by some of the same people that previously installed fake antivirus programs on home computers and badgered the victims into paying to remove imaginary threats.

In the past two years, better encryption techniques have often made it impossible for victims to regain access to their files without cooperation from the hackers. Many ransomware payments are made in the virtual currency Bitcoin and remain secret, but institutions including a Los Angeles hospital have gone public about ransomware attacks.

Ransomware operators generally set modest prices that many victims are willing to pay, and they usually do decrypt the files, which ensures that victims will post positively online about the transaction, making the next victims who research their predicament more willing to pay.

Security software companies have warned that because the aggregate payoffs for ransomware gangs are increasing, more criminals will shift to it from credit card theft and other complicated scams.

The involvement of more sophisticated hackers also promises to intensify the threat.

InGuardians CEO Jimmy Alderson said one of the cases his company investigated appeared to have been launched with online credentials stolen six months earlier in a suspected espionage hack of the sort typically called an Advanced Persistent Threat, or APT.

“The tactics of getting access to these networks are APT tactics, but instead of going further in to sit and listen stealthily, they are used for smash-and-grab,” Alderson said.

(Reporting by Joseph Menn in San Francisco; Additional reporting by Megha Rajagopalan in Beijing; Editing by Jonathan Weber and Clarence Fernandez)

Home Depot settles consumer lawsuit over big 2014 data breach

(Reuters) – Home Depot Inc has agreed to pay $13 million to compensate consumers affected by a massive 2014 data breach in which payment card or other personal data was stolen from more than 50 million people.

The home improvement retailer also agreed to pay $6.5 million to fund 1-1/2 years of identity protection services for card holders, and take steps to improve data security.

Terms of the preliminary settlement were disclosed in papers filed on Monday with the federal court in Atlanta, where Home Depot is based.

Court approval is required, and Home Depot did not admit wrongdoing or liability in agreeing to settle.

The company also agreed to pay legal fees of the plaintiffs’ lawyers, on top of the settlement fund.

“We wanted to put the litigation behind us, and this was the most expeditious path,” Home Depot spokesman Stephen Holmes said. “Customers were never responsible for any fraudulent charges.”

According to court papers, the settlement covers about 40 million people who had payment card data stolen, and 52 million to 53 million people who had email addresses stolen, with some overlap between the two groups.

The $13 million will compensate consumers with documented out-of-pocket losses or unreimbursed charges.

Home Depot has said the breach affected people who used payment cards on its self-checkout lines in U.S. and Canadian stores between April and September 2014.

In November, Home Depot said it had incurred $152 million of expenses from the breach, after accounting for expected insurance proceeds.

(Reporting by Jonathan Stempel in New York; Additional reporting by Nate Raymond; Editing by Chris Reese)