North Korea tried to hack South’s railway system, spy agency claims

SEOUL (Reuters) – North Korea has tried to hack into email accounts of South Korean railway workers in an attempt to attack the transport system’s control system, South Korea’s spy agency said on Tuesday.

South Korea has been on heightened alert against the threat of cyberattacks by North Korea after it conducted a nuclear test in January and a long-range rocket launch last month, triggering new U.N. sanctions.

South Korea had previously blamed the North for cyberattacks against its nuclear power operator. North Korea denied that.

South Korea’s National Intelligence Service (NIS) said in a statement it had interrupted the hacking attempt against the railway workers and closed off their email accounts.

The agency issued the statement after an emergency meeting with other government agencies on the threat of cyberattacks by the North.

The agency detected hacking attempts by the North against workers for two regional railway networks this year, the spy agency said.

“The move was a step to prepare for cyber terror against the railway transport control system,” the agency said.

It did not elaborate on what it thought North Korea’s specific objective was in hacking into the system. An agency official reached by telephone declined to comment.

North Korea has been working for years to develop the ability to disrupt or destroy computer systems that control public services such as telecommunications and other utilities, according to a defector from the North.

The United States accused North Korea of a cyberattack against Sony Pictures in 2014 that led to the studio cancelling the release of a comedy based on the fictional assassination of the country’s leader, Kim Jong Un.

North Korea denied the accusation.

In 2013, South Korea blamed the North for crippling cyber-attacks that froze the computer systems of its banks and broadcasters for days.

New fears of attacks on South Korea’s computer systems came as South Korean and U.S. troops conducted large-scale military exercises which North Korea denounced as “nuclear war moves” and threatened to respond with an all-out military offensive.

(Reporting by Jack Kim and Ju-min Park; Editing by Robert Birsel)

Mac ransomware caught before large number of computers infected

(Reuters) – The first known ransomware attack on Apple Inc’s Mac computers, which was discovered over the weekend, was downloaded more than 6,000 times before the threat was contained, according to a developer whose product was tainted with the malicious software.

Hackers infected Macs with the “KeRanger” ransomware through a tainted copy of Transmission, a popular program for transferring data through the BitTorrent peer-to-peer file sharing network.

So-called ransomware is a type of malicious software that restricts access to a computer system in some way and demands the user pay a ransom to the malware operators to remove the restriction.

KeRanger, which locks data on Macs so users cannot access it, was downloaded about 6,500 times before Apple and developers were able to thwart the threat, said John Clay, a representative for the open-source Transmission project.

That is small compared to the number of ransomware attacks on computers running Microsoft Corp’s Windows operating system. Cyber security firm Symantec Corp observed some 8.8 million attacks in 2014 alone.

Still, cyber security experts said they expect to see more attacks on Macs as the KeRanger hackers and other groups look for new ways to infect Mac computers.

“It’s a small number but these things always start small and ramp up huge,” said Fidelis Cybersecurity threat systems manager John Bambenek. “There’s a lot of Mac users out there and a lot of money to be made.”

Symantec, which sells anti-virus software for Macs, warned on its blog that “Mac users should not be complacent.” The post offered tips on protecting against ransomware.

The Transmission project provided few details about how the attack was launched.

“The normal disk image (was) replaced by the compromised one” after the project’s main server was hacked, said Clay.

He added that “security on the server has since been increased” and that the group was in “frequent contact” with Apple as well as Palo Alto Networks, which discovered the ransomware on Friday and immediately notified Apple and Transmission.

An Apple representative said the company quickly took steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs.

Transmission responded by removing the malicious 2.90 version of its software from its website. On Sunday, it released version 2.92, which its website says automatically removes the ransomware from infected Macs.

Forbes earlier reported on the number of KeRanger downloads, citing Clay.

(Reporting by Jim Finkle; Editing by Cynthia Osterman and Bill Rigby)

Apple users targeted in first known Mac ransomware campaign

BOSTON (Reuters) – Apple Inc customers were targeted by hackers over the weekend in the first campaign against Macintosh computers using a pernicious type of software known as ransomware, researchers with Palo Alto Networks Inc told Reuters on Sunday.

Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corp’s Windows operating system.

Palo Alto Threat Intelligence Director Ryan Olson said the “KeRanger” malware, which appeared on Friday, was the first functioning ransomware attacking Apple’s Mac computers.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Olson said in a telephone interview.

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.

When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware, the blog said.

An Apple representative said the company had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. The representative declined to provide other details.

Transmission responded by removing the malicious version of its software from its website. On Sunday it released a version that its website said automatically removes the ransomware from infected Macs.

The website advised Transmission users to immediately install the new update, version 2.92, if they suspected they might be infected.

Palo Alto said on its blog that KeRanger is programmed to stay quiet for three days after infecting a computer, then connect to the attacker’s server and start encrypting files so they cannot be accessed.

After encryption is completed, KeRanger demands a ransom of 1 bitcoin, or about $400, the blog said.

Olson, the Palo Alto threat intelligence director, said that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission’s site.

Representatives with Transmission could not be reached for comment.

(Editing by Jeffrey Benkoe and Sandra Maler)

21st Century Oncology investigating cyber breach

(Reuters) – Cancer care provider 21st Century Oncology Holdings Inc said it was investigating a breach of its computer network, but had no indication that patient information had been misused.

The Federal Bureau of Investigation had advised the company of the breach in November but had asked it to hold off on making an announcement so as to not impede the investigation, 21st Century Oncology said on Friday.

The Fort Myers, Florida-based company operates 145 cancer treatment centers in the United States and 36 in Latin America.

The company said an investigation by a forensics firm it had hired showed that the intruder may have gained access to its database in early October.

The database contains personal information of some patients, including their names, social security numbers, physicians, diagnoses and treatment, as well as insurance data, the company said.

The FBI said on Friday the investigation remained ongoing and no further comments would be provided for now.

21st Century Oncology is notifying about 2.2 million of its current and former patients that certain information may have been copied and transferred, the company said in a regulatory filing.

The company said it would offer one year of free identity protection services to the affected individuals.

(Reporting by Natalie Grover in Bengaluru; Editing by Saumyadeb Chakrabarty)

U.S. tech companies unite behind Apple ahead of iPhone encryption ruling

(Reuters) – Alphabet Inc’s Google, Facebook Inc, Microsoft Corp and several other Internet and technology companies will file a joint legal brief on Thursday asking a judge to support Apple Inc in its encryption battle with the U.S. government, sources familiar with the companies’ plans said.

The effort is a rare display of unity and support for the iPhone maker from companies which are competitors in many areas, and shows the breadth of Silicon Valley’s opposition to the government’s anti-encryption effort.

The fight between Apple and the government became public last month when the U.S. Federal Bureau of Investigation obtained a court order requiring Apple to write new software and take other measures to disable passcode protection and allow access to an iPhone used by one of the San Bernardino shooters in December.

Apple has pushed back, arguing that such a move would set a dangerous precedent and threaten customer security. The clash has intensified a long-running debate over how much law enforcement and intelligence officials should be able to monitor digital communications.

The group of tech companies plans to file what is known as an amicus brief – a form of comment from outside groups common in complex cases – to the Riverside, California, federal judge Sheri Pym. She will rule on Apple’s appeal of a court order that would force it to create software to unlock the iPhone.

The companies will contest government arguments that the All Writs Act, a broad 1789 law that enables judges to require actions necessary to enforce their own orders, compels Apple to comply with its request.

In their joint brief, the tech companies will say that Congress passed the All Writs Act before the invention of the light bulb, and that it goes too far to contend that the law can be used to force engineers to disable security protections, according to a source familiar with their arguments.

Google, Facebook and others also appear to be tailoring their arguments specifically to a U.S. Supreme Court audience, where the case may end up. The brief will highlight a unanimous 2014 U.S. Supreme Court case which said law enforcement needs warrants to access smartphones snared in an arrest, the source said.

That opinion, penned by Chief Justice John Roberts, united the Supreme Court’s liberal and conservative factions.

Briefs are also expected in support of the government.

Stephen Larson, a former federal judge, told Reuters last week that he is working on a brief with victims of the San Bernardino shooting who want the FBI to be able to access the data on the phone used by Rizwan Farook. “They were targeted by terrorists, and they need to know why, how this could happen,” Larson said.

Several other tech companies are joining Google, Facebook and Microsoft.

Mozilla, maker of the Firefox web browser, said it was participating, along with online planning tool maker Evernote and messaging app firms Snapchat and WhatsApp. Bookmarking and social media site Pinterest and online storage firm Dropbox are also participating.

“We stand against the use of broad authorities to undermine the security of a company’s products,” Dropbox General Counsel Ramsey Homsany said in a statement.

A separate group including Twitter Inc, eBay Inc, LinkedIn Corp and more than a dozen other tech firms filed a brief with the court in support of Apple on Thursday. AT&T Inc filed its own brief.

Networking leader Cisco Systems Inc said it expected to address the court on Apple’s behalf, but did not say whether it was joining with the large group of companies.

Semiconductor maker Intel Corp plans to file a brief of its own in support of Apple, said Chris Young, senior vice president and general manager for Intel Security Group.

“We believe that tech companies need to have the ability to build and design their products as needed, and that means that we can’t have the government mandating how we build and design our products,” Young said in an interview.

The Stanford Law School for Internet and Society filed a separate brief on Thursday morning on behalf of a group of well-known experts on iPhone security and encryption, including Charlie Miller, Dino Dai Zovi, Bruce Schneier and Jonathan Zdziarski.

Privacy advocacy groups the American Civil Liberties Union, Access Now and the Wickr Foundation filed briefs on Wednesday in support of Apple before Thursday’s deadline set by Pym.

Salihin Kondoker, whose wife Anies Kondoker was injured in the San Bernardino attack, also wrote on Apple’s behalf, saying he shared the company’s fear that the software the government wants Apple to create to unlock the phone could be used to break into millions of other phones.

“I believe privacy is important and Apple should stay firm in their decision,” the letter said. “Neither I, nor my wife, want to raise our children in a world where privacy is the tradeoff for security.”

Law enforcement officials have said that Farook and his wife, Tashfeen Malik, were inspired by Islamist militants when they shot and killed 14 people and wounded 22 others last Dec. 2 at a holiday party. Farook and Malik were later killed in a shootout with police and the FBI said it wants to read the data on Farook’s phone to investigate any links with militant groups.

Earlier this week, a Brooklyn judge ruled that the government had overstepped its authority by seeking similar assistance from Apple in a drug case.

(Reporting by Jim Finkle in Boston and Dustin Volz in San Francisco; Additional reporting by Dan Levine, Heather Somerville, Sarah McBride, Julia Love in San Francisco; Editing by Jonathan Weber, Grant McCool and Bill Rigby)

NSA chief says ‘when, not if’ foreign country hacks U.S. infrastructure

SAN FRANCISCO (Reuters) – The U.S. National Security Agency chief said on Tuesday it was a “matter of when, not if” a foreign nation-state attempts to launch a cyber attack on the U.S. critical infrastructure, citing the recent hack on Ukraine’s power grid as a cause for concern.

Speaking at the RSA cyber security conference in San Francisco, Admiral Michael Rogers said he was also worried about data manipulation and potential offensive cyber threats posed by non-nation-state actors such as Islamic State.

The U.S. government said last week a December blackout in Ukraine that affected 225,000 customers was the result of a cyber attack, supporting what most security researchers had already concluded.

Some private researchers have linked the incident to a Russian hacking group known as “Sandworm.”

(Reporting by Dustin Volz; Editing by Jeffrey Benkoe)

Hackers could ‘Mousejack’ wireless mice, keyboards to access computers

A cyber security company says it has discovered a design flaw in scores of wireless keyboards and mice that hackers could exploit to access computers as if they were their own devices.

Bastille Networks announced the discovery in a news release last week, claiming a hacker armed with a $15 piece of hardware and a few lines of code could gain full control of a computer by exploiting a loophole in the way wireless keyboards and mice communicate with the devices.

The company says the majority of mice and keyboards that use wireless dongles, as opposed to Bluetooth technology, are vulnerable. The dongles are plugged into USB ports on the computer, and clicks, mouse movements and keystrokes are transmitted to them through radio signals.

However, Bastille says hackers within 100 meters of the vulnerable dongles could “Mousejack” a computer by taking advantage of those connections, allowing the hackers to send their own clicks, mouse movements and keystrokes to the computers as if they were sitting in front of it.

That could allow them to view sensitive data or insert malicious code, the company said.

Bastille claims billions of devices are vulnerable, and computers running Windows, Macintosh and Linux software were all at risk. But one manufacturer downplayed the risk of a breach.

“Bastille Security identified the vulnerability in a controlled, experimental environment,” Logitech said on its message board. “The vulnerability would be complex to replicate and would require physical proximity to the target. It is therefore a difficult and unlikely path of attack.”

“What’s particularly troublesome about this finding is that just about anyone can be a potential victim here, whether you’re an individual or a global enterprise,” Marc Newlin, the Bastille engineer responsible for discovering the security flaw, said in a statement.

Bastille supplied a list of vulnerable mice and keyboards on its website, and manufacturers like Logitech and Lenovo have already issued firmware patches they say address the security flaw.

But Bastille noted that patches might not be available for every dongle, and device owners will need to check with manufacturers to see if there is a fix available. In the interim, it recommends using a wired mouse or possibly replacing a vulnerable device with one known to be secure.

NSA chief says ‘when, not if’ foreign country hacks U.S. infrastructure

SAN FRANCISCO (Reuters) – The U.S. National Security Agency chief said on Tuesday it was a “matter of when, not if” a foreign nation-state attempts to launch a cyber attack on the U.S. critical infrastructure, citing the recent hack on Ukraine’s power grid as a cause for concern.

Speaking at the RSA cyber security conference in San Francisco, Admiral Michael Rogers said he was also worried about data manipulation and potential offensive cyber threats posed by non-nation-state actors such as Islamic State.

The U.S. government said last week a December blackout in Ukraine that affected 225,000 customers was the result of a cyber attack, supporting what most security researchers had already concluded.

Some private researchers have linked the incident to a Russian hacking group known as “Sandworm.”

(Reporting by Dustin Volz; Editing by Jeffrey Benkoe)

IRS notifying more taxpayers about potential data breach

Hackers may have accessed the tax transcripts of approximately 724,000 United States taxpayers by using stolen personal information, the Internal Revenue Service announced Friday.

The agency also said hackers targeted another 576,000 accounts, but could not access them.

The announcement followed a nine-month investigation into its “Get Transcript” application.

The tool was launched in January 2014 and gave taxpayers a way to download or order several years of their transcripts through the IRS website.

However, the agency announced last May that “criminals” had been able to access other tax histories that were not their own by using personal information that had been stolen elsewhere.

The IRS originally announced that about 114,000 transcripts may have been improperly accessed, while hackers targeted another 111,000 but were unsuccessful in their attempts.

The tool has been offline ever since while officials searched for other suspicious activity.

The Treasury Inspector General for Tax Administration (TIGTA) has handled the investigations.

In August, the IRS announced TIGTA found about another 220,000 cases of potential breaches since “Get Transcript” debuted, and about 170,000 more unsuccessful suspicious attempts.

On Friday, the IRS announced TIGTA’s latest review found about 390,000 potential additional cases of improper access, and some 295,000 cases where tax data was targeted but not obtained.

The IRS noted that some of the attempts might not have been malicious.

“It is possible that some of those identified may be family members, tax return preparers or financial institutions using a single email address to attempt to access more than one account,” it said in a statement, though added it is notifying all of the affected taxpayers as a precaution.

The latest wave of taxpayers will be notified through the mail beginning Feb. 29, the IRS said.

“The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft, and these mailings are part of that effort,” IRS Commissioner John Koskinen said in Friday’s announcement. “We appreciate the work of the Treasury Inspector General for Tax Administration to identify these additional taxpayers whose accounts may have been accessed.”

The agency is offering all affected taxpayers free identity theft protection services and the chance to obtain an identity protection PIN, which helps protect Social Security numbers on returns.

Sony hackers linked to breaches in 4 other countries, report finds

SAN FRANCISCO (Reuters) – The perpetrators of the 2014 cyber attack on Sony Pictures Entertainment were not activists or disgruntled employees, and likely had attacked other targets in China, India, Japan and Taiwan, according to a coalition of security companies that jointly investigated the Sony case for more than a year.

The coalition, organized by security analytics company Novetta, concluded in a report released on Wednesday that the hackers were government-backed but it stopped short of endorsing the official U.S. view that North Korea was to blame.

The Obama administration has tied the attack on Sony Corp’s film studio to its release of “The Interview,” a comedy that depicted the fictional assassination of North Korean leader Kim Jong Un.

Novetta said the breach “was not the work of insiders or hacktivists.”

“This is very much supportive of the theory that this is nation-state,” Novetta Chief Executive Peter LaMontagne told Reuters. “This group was more active, going farther back, and had greater capabilities and reach than we thought.”

Novetta worked with the largest U.S. security software vendor Symantec Corp, top Russian security firm Kaspersky Lab and at least 10 other institutions on the investigation, a rare collaboration involving so many companies.

They determined that the unidentified hackers had been at work since at least 2009, five years before the Sony breach. The hackers were able to achieve many of their goals despite modest skills because of the inherent difficulty in establishing an inclusive cyber security defense, the Novetta group said.

LaMontagne said the report was the first to tie the Sony hack to breaches at South Korean facilities including a power plant. The FBI and others had previously said the Sony attackers reused code that had been used in destructive attacks on South Korean targets in 2013.

The Novetta group said the hackers were likely also responsible for denial-of-service attacks that disrupted U.S. and South Korean websites on July 24, 2009. The group said it found overlaps in code, tactics and infrastructure between the attacks.

Symantec researcher Val Saengphaibul said his company connected the hackers to attacks late last year, suggesting the exposure of the Sony breach and the threat of retaliation by the United States had not silenced the gang.

The coalition of security companies distributed technical indicators to help others determine if they had been targeted by the same hackers, which Novetta dubbed the Lazarus Group.

(Reporting by Joseph Menn; Editing by Tiffany Wu)