Tag Archives: Technology

Cyber extortion demands surge as victims keep paying: Symantec

A man walks past a display of hexadecimal code in a file photo. REUTERS/Nigel Treblin

By Alastair Sharp

TORONTO (Reuters) – Hackers are demanding increasingly hefty ransoms to free computers paralyzed with viruses, as cyber criminals seek to maximize profits from large numbers of victims willing to pay up, according to cyber security firm Symantec Corp.

The average demand embedded in such malicious software, which is known as ransomware, more than tripled last year to $1,077 from $294, and the pricing has continued to rise in 2017, according to Symantec.

“The bad guys haven’t found the top end of what people will pay,” Symantec Director of Security Response Kevin Haley said in a telephone interview.

Symantec said 69 percent of ransomware infections in 2016 hit consumer computers, with the remainder targeting businesses and other organizations.

More than a third of consumer ransomware victims around the globe pay cyber criminals to regain access to their data, according to Symantec. In the United States, where such attacks are most prevalent, 64 percent pay.

“If six out of ten people will pay your ransom when it’s three hundred bucks, you’re thinking ‘What if I raise it to four hundred? What if I raise to five hundred?'” Haley said.

The surge in cyber extortion has been fueled partly by the sale of ransomware kits, which sell for $10 to $1,800 on underground markets and make it easy for wannabe cyber crooks to get in the business, according to Symantec.

One kit, known as Shark, lets users name their demand, which its creators collect from victims and pass on to attackers, minus a 20 percent commission.

Ransomware attacks have increased sharply over the past year, with criminals targeting hospitals, police departments and other providers of critical services in the United States and Europe.

In some cases, the attacks have interrupted critical public services.

U.S. and European hospitals have been forced to divert patients to other facilities when ransomware paralyzed computer systems.

Local police have been forced to manually dispatch calls, and San Francisco’s public transit system was unable to collect fares for a weekend during the busy Christmas shopping season.

(Reporting by Alastair Sharp; Editing by Steve Orlofsky; Editing by Jim Finkle and Steve Orlofsky)

Waymo testing self-driving car ride service in Arizona

Waymo unveils a self-driving Chrysler Pacifica minivan during the North American International Auto Show in Detroit, Michigan, U.S., January 8, 2017. REUTERS/Brendan McDermid

SAN FRANCISCO (Reuters) – Alphabet Inc’s Waymo autonomous vehicle group will begin testing a self-driving car program for hundreds of families in Phoenix, Arizona and is buying 500 Chrysler minivans to do so, the companies said on Tuesday.

Waymo, which along with Google is owned by Alphabet Inc<GOOGL.O>, recently has been quietly testing the service for a handful of families, learning what potential customers would want from a ride service, the company said in a blog post.

It urged people to apply to take part in an expanded test, which is the first public trial of Waymo’s self-driving cars. The vehicles include human operators from Waymo behind the wheel, in case intervention is required and to take feedback.

Silicon Valley is racing to master self-driving technology, betting that it will transform the auto industry and be a gold mine for leading companies. Waymo has one of the best technology track records, and it has an alliance with Fiat Chrysler Automobiles <FCHA.MI>.

Many companies expect that customers will use autonomous vehicles as a service, rather than owning them outright. Ride service Uber in particular expects to use autonomous cars.

The new Waymo test in Arizona is meant to help the company understand what people want out of self-driving cars and see how they use and integrate the service. Testers will get access every day at any time.

Waymo already has with 100 Chrysler Pacifica minivans and is acquiring five times more, partly to be able to support the service.

(Reporting by Peter Henderson; Editing by Mary Milliken)

German cabinet agrees to fine social media over hate speech

The Facebook logo is displayed on their website in an illustration photo taken in Bordeaux, France, February 1, 2017. REUTERS/Regis Duvignau

BERLIN (Reuters) – The German cabinet approved a plan on Wednesday to fine social networks up to 50 million euros ($53 million) if they do not remove hateful postings quickly, prompting concerns the law could limit free expression.

Germany already has some of the world’s toughest hate speech laws covering defamation, public incitement to commit crimes and threats of violence, backed up by prison sentences for Holocaust denial or inciting hatred against minorities.

“There should be just as little tolerance for criminal rabble rousing on social networks as on the street,” Justice Minister Heiko Maas said in a statement, adding that he would seek to push for similar rules at a European level.

The issue has taken on more urgency as German politicians worry that a proliferation of fake news and racist content, particularly about 1 million migrants who have arrived in the last two years, could sway public opinion in the run-up to the national election in September.

However, organizations representing digital companies, consumers and journalists, accused the government of rushing a law to parliament that could damage free speech.

“It is the wrong approach to make social networks into a content police,” said Volker Tripp, head of the Digital Society Association consumer group.

The draft law would give social networks 24 hours to delete or block obviously criminal content and seven days to deal with less clear-cut cases, with an obligation to report back to the person who filed the complaint about how they handled the case.

Failure to comply could see a company fined up to 50 million euros, and the company’s chief representative in Germany fined up to 5 million euros.

Bitkom, an association which represents digital companies, said the government should build up specialist teams to monitor online content for potential infringements, rather than expect social networks to do it themselves.

“Given the short deadlines and the severe penalties, providers will be forced to delete doubtful statements as a precaution. That would have a serious impact on free speech on the internet,” said Bitkom manager Bernhard Rohleder.

Since it was unveiled last month, the draft law has been amended to include new categories of content, such as child pornography. It also now allows courts to order social networks to reveal the identity of the user behind criminal posts.

To address free speech concerns, the legislation was tweaked to make clear that a fine would not necessarily be imposed after just one infraction. “It is clear that freedom of expression is of huge importance in our vibrant democracy … however, freedom of expression ends where criminal law begins,” Maas said. Maas said a government survey showed Facebook deleted just 39 percent of content deemed criminal and Twitter only 1 percent, even though they signed a code of conduct in late 2015 including a pledge to delete hate speech within 24 hours.

(Reporting by Emma Thomasson and Thorsten Severin; Editing by Tom Heneghan)

UK and Swedish watchdogs warn of international cyber attack

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

STOCKHOLM (Reuters) – A large-scale cyber attack from a group targeting organizations in Japan, the United States, Sweden and many other European countries through IT services providers has been uncovered, the Swedish computer security watchdog said on Wednesday.

The cyber attack, uncovered through a collaboration by Britain’s National Cyber Security Centre, PwC and cyber security firm BAE Systems, targeted managed service providers to gain access to their customers’ internal networks since at least May 2016 and potentially as early as 2014.

The exact scale of the attack, named Cloud Hopper from an organization called APT10, is not known but is believed to involve huge amounts of data, Sweden’s Civil Contingencies Agency said in a statement. The agency did not say whether the cyber attacks were still happening.

“The high level of digitalization in Sweden, along with the amount of services outsourced to managed service providers, means that there is great risk that several Swedish organizations are affected by the attacks,” the watchdog said.

The agency said those behind the attacks had used significant resources to identify their targets and sent sophisticated phishing e-mails to infect computers.

It also said Swedish IP addresses had been used to coordinate the incursions and retrieve stolen data and that APT10 specifically targeted IT, communications, healthcare, energy and research sectors.

(Reporting by Johan Ahlander; Editing by Niklas Pollard and Stephen Powell)

Major internet providers say will not sell customer browsing histories

The NBC and Comcast logo are displayed on top of 30 Rockefeller Plaza, formerly known as the GE building, in midtown Manhattan in New York July 1, 2015. REUTERS/Brendan McDermid/File Photo

By David Shepardson

WASHINGTON (Reuters) – Comcast Corp, Verizon Communications Inc and AT&T Inc said Friday they would not sell customers’ individual internet browsing information, days after the U.S. Congress approved legislation reversing Obama administration era internet privacy rules.

The bill would repeal regulations adopted in October by the Federal Communications Commission under former President Barack Obama requiring internet service providers to do more to protect customers’ privacy than websites like Alphabet Inc’s Google or Facebook Inc.

The easing of restrictions has sparked growing anger on social media sites.

“We do not sell our broadband customers’ individual web browsing history. We did not do it before the FCC’s rules were adopted, and we have no plans to do so,” said Gerard Lewis, Comcast’s chief privacy officer.

He added Comcast is revising its privacy policy to make more clear that “we do not sell our customers’ individual web browsing information to third parties.”

Verizon does not sell personal web browsing histories and has no plans to do so in the future, said spokesman Richard Young.

Verizon privacy officer Karen Zacharia said in a blog post Friday the company has two programs that use customer browsing data. One allows marketers to access “de-identified information to determine which customers fit into groups that advertisers are trying to reach” while the other “provides aggregate insights that might be useful for advertisers and other businesses.”

Republicans in Congress Tuesday narrowly passed the repeal of the rules with no Democratic support and over the objections of privacy advocates.

The vote was a win for internet providers such as AT&T Inc, Comcast and Verizon. Websites are governed by a less restrictive set of privacy rules.

The White House said Wednesday that President Donald Trump plans to sign the repeal of the rules, which had not taken effect.

Under the rules, internet providers would have needed to obtain consumer consent before using precise geolocation, financial information, health information, children’s information and web browsing history for advertising and marketing. Websites do not need the same affirmative consent.

Some in Congress suggested providers would begin selling personal data to the highest bidder, while others vowed to raise money to buy browsing histories of Republicans.

AT&T says in its privacy statement it “will not sell your personal information to anyone, for any purpose. Period.” In a blog post Friday, AT&T said it would not change those policies after Trump signs the repeal.

Websites and internet service providers do use and sell aggregated customer data to advertisers. Republicans say the rules unfairly would give websites the ability to harvest more data than internet providers.

Trade group USTelecom CEO Jonathan Spalter said in an op-ed Friday for website Axios that individual “browser history is already being aggregated and sold to advertising networks – by virtually every site you visit on the internet.”

This week, 46 Senate Democrats urged Trump not to sign the bill, arguing most Americans “believe that their private information should be just that.”

(Reporting by David Shepardson; Editing by Cynthia Osterman and Lisa Shumaker)

A scramble at Cisco exposes uncomfortable truths about U.S. cyber defense

The logo of Cisco is seen at Mobile World Congress in Barcelona, Spain, February 27, 2017. REUTERS/Eric Gaillard

By Joseph Menn

SAN FRANCISCO (Reuters) – When WikiLeaks founder Julian Assange disclosed earlier this month that his anti-secrecy group had obtained CIA tools for hacking into technology products made by U.S. companies, security engineers at Cisco Systems <CSCO.O> swung into action.

The Wikileaks documents described how the Central Intelligence Agency had learned more than a year ago how to exploit flaws in Cisco’s widely used Internet switches, which direct electronic traffic, to enable eavesdropping.

Senior Cisco managers immediately reassigned staff from other projects to figure out how the CIA hacking tricks worked, so they could help customers patch their systems and prevent criminal hackers or spies from using the same methods, three employees told Reuters on condition of anonymity.

The Cisco engineers worked around the clock for days to analyze the means of attack, create fixes, and craft a stopgap warning about a security risk affecting more than 300 different products, said the employees, who had direct knowledge of the effort.

That a major U.S. company had to rely on WikiLeaks to learn about security problems well-known to U.S. intelligence agencies underscores concerns expressed by dozens of current and former U.S. intelligence and security officials about the government’s approach to cybersecurity.

That policy overwhelmingly emphasizes offensive cyber-security capabilities over defensive measures, these people told Reuters, even as an increasing number of U.S. organizations have been hit by hacks attributed to foreign governments.

Larry Pfeiffer, a former senior director of the White House Situation Room in the Obama administration, said now that others were catching up to the United States in their cyber capabilities, “maybe it is time to take a pause and fully consider the ramifications of what we’re doing.”

U.S. intelligence agencies blamed Russia for the hack of the Democratic National Committee during the 2016 election. Nation-states are also believed to be behind the 2014 hack of Sony Pictures Entertainment and the 2015 breach of the U.S. Government’s Office of Personnel Management.

CIA spokeswoman Heather Fritz Horniak declined to comment on the Cisco case, but said it was the agency’s “job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad.”

The Office of the Director of National Intelligence, which oversees the CIA and NSA, referred questions to the White House, which declined to comment.

Across the federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters.

President Donald Trump’s budget proposal would put about $1.5 billion into cyber-security defense at the Department of Homeland Security (DHS). Private industry and the military also spend money to protect themselves.

But the secret part of the U.S. intelligence budget alone totaled about $50 billion annually as of 2013, documents leaked by NSA contractor Edward Snowden show. Just 8 percent of that figure went toward “enhanced cyber security,” while 72 percent was dedicated to collecting strategic intelligence and fighting violent extremism.

Departing NSA Deputy Director Rick Ledgett confirmed in an interview that 90 percent of government cyber spending was on offensive efforts and agreed it was lopsided.

“It’s actually something we’re trying to address” with more appropriations in the military budget, Ledgett said. “As the cyber threat rises, the need for more and better cyber defense and information assurance is increasing as well.”

The long-standing emphasis on offense stems in part from the mission of the NSA, which has the most advanced cyber capabilities of any U.S. agency.

It is responsible for the collection of intelligence overseas and also for helping defend government systems. It mainly aids U.S. companies indirectly, by assisting other agencies.

“I absolutely think we should be placing significantly more effort on the defense, particularly in light of where we are with exponential growth in threats and capabilities and intentions,” said Debora Plunkett, who headed the NSA’s defensive mission from 2010 to 2014.

GOVERNMENT ROLE

How big a role the government should play in defending the private sector remains a matter of debate.

Former military and intelligence leaders such as ex-NSA Director Keith Alexander and former Secretary of Defense Ashton Carter say that U.S. companies and other institutions cannot be solely responsible for defending themselves against the likes of Russia, China, North Korea and Iran.

For tech companies, the government’s approach is frustrating, executives and engineers say.

Sophisticated hacking campaigns typically rely on flaws in computer products. When the NSA or CIA find such flaws, under current policies they often choose to keep them for offensive attacks, rather than tell the companies.

In the case of Cisco, the company said the CIA did not inform the company after the agency learned late last year that information about the hacking tools had been leaked.

“Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers,” said company spokeswoman Yvonne Malmgren.

SIDE BY SIDE

A recent reorganization at the NSA, known as NSA21, eliminated the branch that was explicitly responsible for defense, the Information Assurance Directorate (IAD), the largest cyber-defense workforce in the government. Its mission has now been combined with the dominant force in the agency, signals intelligence, in a broad operations division.

Top NSA officials, including director Mike Rogers, argue that it is better to have offensive and defensive specialists working side by side. Other NSA and White House veterans contend that perfect defense is impossible and therefore more resources should be poured into penetrating enemy networks – both to head off attacks and to determine their origin.

Curtis Dukes, the last head of IAD, said in an interview after retiring last month that he feared defense would get even less attention in a structure where it does not have a leader with a direct line to the NSA director.

“It’s incumbent on the NSA to say, ‘This is an important mission’,” Dukes said. “That has not occurred.”

(Reporting by Joseph Menn in San Francisco. Additional reporting by Warren Strobel in Washington.; Editing by Jonathan Weber and Ross Colvin)

NATO to spend 3 billion euros on satellite, cyber defenses

FILE PHOTO - A NATO flag flies at the Alliance's headquarters in Brussels, March 2, 2014. REUTERS/Yves Herman/File Photo

By Robin Emmott

BRUSSELS (Reuters) – NATO plans to spend 3 billion euros ($3.24 billion) to upgrade its satellite and computer technology over the next three years as the Western military alliance adapts to new threats, a senior official said.

Seeking to deter hackers, and other threats including Iranian missiles, the investments underscore NATO’s recognition that conflicts are increasingly fought on computer networks as well as in the air, on land and at sea.

A senior official at the NATO Communications and Information Agency said the plans include a 1.7-billion-euro investment in satellite communications to better support troops and ships deployed across the alliance, as well as aiding the use of Unmanned Aerial Vehicles (UAVs) or drones.

It was not immediately clear if NATO allies would fund a new military communications satellite to be launched into space or if an increase in broadband capacity could be gained from existing U.S. and other allied satellites.

Non-NATO member Japan launched its first military communications satellite in January.

The proposals, for which some funding must still be approved by NATO governments, also envisage spending about 800 million euros on the computer systems that help command air and missile defenses, said the official, who declined to be named.

Seventy-one million euros will go to improving the protection of NATO’s 32 main locations from cyber attacks.

NATO says it has seen a five-fold increase in suspicious events on its networks in the past three years, while Russian group APT28 is blamed by Western intelligence for the hacking of the U.S. Democratic Party during last year’s U.S. election.

NATO officials have told Reuters they suspect Russia sponsors attacks against their networks before major summits.

Another 180 million euros are to be spent to provide more secure mobile communications for alliance soldiers in the field.

NATO will present its needs in detail at a conference in Ottawa in April and then begin launching the bidding process.

It is likely to attract major Western defense contracts including Airbus Group, Raytheon and Lockheed Martin Corp, the official said, in part because “there cannot be content that does not come from NATO nations.”

NATO rules prohibit Russian or Chinese suppliers unless there is a specific need that allied companies cannot provide.

(Reporting by Robin Emmott; Editing by Janet Lawrence)

Global private companies confident, but unprepared for hacking threat: PwC

LONDON (Reuters) – The chief executives of some of the worlds’ leading private companies are confident about their firms’ prospects and plan to recruit more staff, but are ill-prepared for cyber attacks, according to a report by PwC on Thursday.

The “Undaunted, but underprepared?” report found 86 percent of CEOs were confident about their companies revenue prospects in 2017, an increase of 5 percent from last year.

That made it the first time in five years that private company bosses were more confident than public company CEOs.

The report, based on responses from 781 private company CEOs in 79 countries, also found that 41 percent of private company CEOs were not concerned about cyber threats and only 68 percent were concerned about the speed of technological change.

Stephanie Hyde, Global Entrepreneurial and Private Business Leader for PwC UK, said it was worrying that private company CEOs were less concerned about technology and cyber compared to their public counterparts, as they had less resources available to invest in addressing these issues.

“This may make them more vulnerable to cyber attacks, so in theory they should be more concerned about these threats not less,” she said.

“In our view, this is probably the single most worrying finding in our report, especially in light of growing evidence that hackers are now targeting smaller and private businesses, thinking they will not be so well protected.”

(Reporting by Michael Holden)

SAP pushes to patch risky HANA security flaws before hackers strike

SAP logo at SAP headquarters in Walldorf, Germany, January 24, 2017. REUTERS/Ralph Orlowski

By Eric Auchard

FRANKFURT (Reuters) – Europe’s top software maker SAP said on Tuesday it had patched vulnerabilities in its latest HANA software that had a potentially high risk of giving hackers control over databases and business applications used to run big multinational firms. While hacks on phones, websites and computers that consumers rely on every day grab headlines, vulnerabilities in big business software are more lucrative to attackers as these tools store data and run transactions which are the lifeblood of businesses. The latest security weaknesses, known in industry parlance as “zero day” vulnerabilities, rank among the most critical ever found in HANA, the engine that runs SAP’s latest database, cloud and other more traditional business apps, according to Onapsis, the security company which uncovered these issues.

SAP software acts as the corporate plumbing for many multinationals and the company claims 87 percent of the top 2,000 global companies as customers.

Onapsis said vulnerabilities lay in a HANA component known as “User Self Service” (USS) which would allow malicious insiders or remote attackers to fully compromise vulnerable systems, without so much as valid usernames and passwords.

It reported 10 HANA vulnerabilities to SAP less than 60 days ago, which the German software maker fixed in near-record time, according to interviews with executives of both companies.

The resulting patch issued by SAP on Tuesday was rated by it as 9.8 on a scale of 10, “very high” in terms of relative risk to its customers. SAP is releasing five HANA patches this week to fix a range of vulnerabilities uncovered in recent months.

“SAP has done a great job by releasing fixes much faster than in past situations,” Onapsis Chief Executive Mariano Nunez told Reuters in an interview.

Customers must in turn choose when to apply such patches to software that runs their most critical corporate functions, a process that may take months or years, in rare cases. They must balance security risks against operational demands.

SAP executives urged security managers working for its customers to patch relevant systems.

“There has not been one case where a customer who applied the recommended patches has been affected,” Siddhartha Rao, vice president of SAP Product Security Response, said of the six years he has been on the job. “We currently expect there will not be that many customers affected by these issues,” he said.

Last May, however, the U.S. Department of Homeland Security issued an alert advising SAP customers they needed to urgently plug holes for which SAP already had offered patches in 2010, but which some customers failed to adopt, leaving dozens exposed to hacker break-ins afterward. (http://reut.rs/2mkTVgI)

Three dozen enterprises were found to have telltale signs of unauthorized access due to outdated or misconfigured SAP NetWeaver Java systems, Onapsis said at the time.

Onapsis helps secure more than 200 SAP customers ranging from Schlumberger to Sony Corp, Westinghouse and the U.S. Army. It also identifies security vulnerabilities for corporate customers in rival systems from Oracle.

Giving HANA customers breathing room, the USS component first offered by SAP in October 2014 is not activated by default, but must be specially enabled, Onapsis said.

It has identified two companies – an energy company and a retailer – where vulnerabilities were found and fixed. Companies which are not using USS features are unaffected, Onapsis said.

Technical details can be found on the security blogs of SAP (https://goo.gl/11Dz5w) and Onapsis (https://goo.gl/Xiryyp). There is no evidence hackers have taken advantage so far, the companies said.

Last year, the company issued more than 160 patches in all, SAP said. Ten percent of these were HANA related, Onapsis added.

(Reporting by Eric Auchard; Editing by Stephen Coates)

WikiLeaks offers CIA hacking tools to tech companies: Assange

WikiLeaks founder Julian Assange makes a speech from the balcony of the Ecuadorian Embassy, in central London, Britain February 5, 2016. REUTERS/Peter Nicholls/Files

By Dustin Volz and Eric Auchard

WASHINGTON/FRANKFURT (Reuters) – WikiLeaks will provide technology companies with exclusive access to CIA hacking tools that it possesses, to allow them to patch software flaws, founder Julian Assange said on Thursday.

The offer, if legitimate, could put Silicon Valley in the unusual position of deciding whether to cooperate with Assange, a man believed by some U.S. officials and lawmakers to be an untrustworthy pawn of Russian President Vladimir Putin, or a secretive U.S. spy agency.

It was not clear how WikiLeaks intended to cooperate with technology companies, or if they would accept his offer. The anti-secrecy group published documents on Tuesday describing secret Central Intelligence Agency hacking tools and snippets of computer code. It did not publish the full programs that would be needed to actually conduct cyber exploits against phones, computers and Internet-connected televisions.

Representatives of Alphabet Inc’s Google Apple Inc, Microsoft Corp <MSFT.O> and Cisco Systems Inc <CSCO.O>, all of whose wares are subject to attacks described in the documents, did not immediately respond to requests for comment before regular business hours on the U.S. West Coast.

“Considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them some exclusive access to the additional technical details that we have so that the fixes can be developed and pushed out, so people can be secure,” Assange said during a press conference broadcast via Facebook Live.

Responding to Assange’s comments, CIA spokesman Jonathan Liu, said in a statement, “As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity.”

“Despite the efforts of Assange and his ilk, CIA continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries.”

The disclosures alarmed the technology world and among consumers concerned about the potential privacy implications of the cyber espionage tactics that were described.

One file described a program known as Weeping Angel that purportedly could take over a Samsung smart television, making it appear it was off when in fact it was recording conversations in the room.

Other documents described ways to hack into Apple Inc <AAPL.O> iPhones, devices running Google’s <GOOGL.O> Android software and other gadgets in a way that could observe communications before they are protected by end-to-end encryption offered by messaging apps like Signal or WhatsApp.

Several companies have already said they are confident that their recent security updates have already accounted for the purported flaws described in the CIA documents. Apple said in a statement on Tuesday that “many of the issues” leaked had already been patched in the latest version of its operating system.

WikiLeaks’ publication of the documents reignited a debate about whether U.S. intelligence agencies should hoard serious cyber security vulnerabilities rather than share them with the public. An interagency process created under former President Barack Obama called for erring on the side of disclosure.

President Donald Trump believed changes were needed to safeguard secrets at the CIA, White House spokesman Sean Spicer told a news briefing on Thursday. “He believes that the systems at the CIA are outdated and need to be updated.”

Two U.S. intelligence and law enforcement officials told Reuters on Wednesday that intelligence agencies have been aware since the end of last year of a breach at the CIA, which led to WikiLeaks releasing thousands of pages of information on its website.

The officials, speaking on condition of anonymity, said contractors likely breached security and handed over the documents to WikiLeaks. The CIA has declined to comment on the authenticity of the documents leaked, but the officials said they believed the pages about hacking techniques used between 2013 and 2016 were authentic.

Contractors have been revealed as the source of sensitive government information leaks in recent years, most notably Edward Snowden and Harold Thomas Martin, both employed by consulting firm Booz Allen Hamilton <BAH.N> while working for the National Security Agency.

Assange said he possessed “a lot more information” about the CIA’s cyber arsenal that would be released soon. He criticized the CIA for “devastating incompetence” for not being able to control access to such sensitive material.

Nigel Farage, the former leader of the populist UK Independence Party, visited Assange at the Ecuadorean embassy in London earlier on Thursday. A representative for Farage said he was unaware what was discussed.

Assange has been holed up since 2012 at the embassy, where he fled to avoid extradition to Sweden over allegations of rape, which he denies.

(Reporting by Dustin Volz; Additional reporting by Eric Auchard in Frankfurt, Joseph Menn in San Francisco and Guy Falconbridge in London; Editing by Frances Kerry and Grant McCool)