Cyber Security

HIGHLIGHTS

Swift Security Chief Says Banks Have Tightened Controls Following Theft of Codes

Cyber Matters: The Do's and Don'ts for Companies Hit by a Breach

Canadian Hacker Gets Five-Year Sentence Following 2014 Yahoo Breach

Are Huawei and ZTE a Real Cybersecurity Threat?

Editor’s News Picks: How a Mexican Bank Stopped a $110 Million Heist., Bitcoin Spinoff Manipulated in $18 Million Hack., Credit Freezes Will Soon Be Free.

Advertisement

Commentary & Analysis

Swift Security Chief Says Banks Have Tightened Controls Following Theft of Codes

By Adam Janofsky

A series of cyberattacks on banks in recent years using stolen money-transfer codes has prompted stronger rules for how financial firms safeguard and share these credentials, said the head of security for the dominant network used by banks for cross-border transactions.

Karel De Kneef, head of security operations at Swift, the Brussels-based Society for Worldwide Interbank Financial Telecommunication, said his organization has implemented stronger security controls for its members that would make it harder for criminals to steal bank codes. Swift also created a customer assurance intelligence team in 2016 to help the 11,000 banking and securities organizations that use its service respond to cyberattacks, he said.

The new initiatives were launched after a string of incidents in recent years that included banks in Bangladesh, Vietnam and Ecuador. The attacks typically used malware to steal bank codes, which are used to authorize transactions among different financial institutions.

For example, cybercriminals stole more than $100 million from Bangladesh’s central bank in 2016 after the Federal Reserve Bank of New York received payment instructions with correct bank codes to send money to private accounts in the Philippines and Sri Lanka.

In these incidents, Swift’s network and systems were never breached, said Mr. De Kneef. Instead, hackers compromised individual banks and obtained their Swift codes, which allowed them to disguise fraudulent transactions.

“We had institutions connecting to our network that were compromised, and our network was being used as a transport mechanism to get money out of the financial system,” said Mr. De Kneef, who spoke at the WSJ Pro Cybersecurity conference in London on May 24.

The Swift issue highlights a common problem across industries of how a cyberattack against one organization can affect many others, Mr. De Kneef said. To prevent an attack from spreading, companies must share information on common threats and commit to stronger security standards, he said.

New standards for fund transfers. Months after the incidents became public, Swift released new security standards for its customers, said Mr. De Kneef. The list includes 16 mandatory controls and 11 advised controls.

The standards include requirements for how banks should physically isolate Swift-related equipment and restrict access to tokens that contain Swift credentials. They also include common standards used outside of the financial industry, such as provisions for annual security training and the creation of cybersecurity incident response plans.

The new controls are critical for Swift because the system is built on trust, said Mr. De Kneef. Banks use the service to instruct each other on where to send billions of dollars each day, and cyberattacks might threaten confidence in the system.

“Ever since I took on this job, cyberrisk has been the main thing to keep me awake at night,” said Swift Chief Executive Gottfried Leibbrandt at the European Financial Services Conference in May 2016. “It’s a problem because the financial system is hugely interconnected and it operates on trust.”

Swift members must share proof of their security standard compliance with trading partners in the Swift network, said Mr. De Kneef. The documentation must be signed by the chief information security officer of the institution, he added.

Improve monitoring and disclosure. Banks around the world, for the most part, are getting better at cybersecurity, said Mr. De Kneef. Although attacks against the financial sector will continue, the amount of money lost due to these incidents has noticeably declined, he said.

“More and more we get involved when an attack has been stopped before fraud has been attempted,” said Mr. De Kneef. “The sender, receiver or someone in the middle of the transaction spots and stops it.”

Two years ago, hackers could attack a bank’s network and go undetected for up to one year, said Mr. De Kneef. This gave them time to study the infrastructure, carry out large heists and cover their tracks. In the Bangladesh bank incident, for example, hackers breached as many as 32 computers and had remotely monitored activity for several weeks, according to a report by private investigators.

Mr. De Kneef said Swift has tried to improve information sharing programs in recent years, which would give banks greater visibility into new attacks. Swift members are required to notify the organization of cyberattacks and assist Swift in investigating and resolving the issues.

“There’s a contractual obligation for our customers to inform us, but the question [for them] is when do they decide they need to inform,” he said.

Write to Adam Janofsky at adam.janofsky@wsj.com.

Cyber Matters: The Do’s and Don’ts for Companies Hit by a Breach

By Rob Sloan, cybersecurity research director, WSJ Pro

The damage for organizations hit by cyberattacks doesn’t end when the attackers are removed from the network. The worst is often yet to come. A key difference in how companies fare following a data breach often comes down to two issues: how effectively the company worked with regulators; and how the company managed post-breach communications.

If the company gets either element wrong, then in addition to the cost of investigating and remediating the incident, the company could be hit by significant fines from regulators and feel the pain of consumers or clients taking their business elsewhere.

Minimizing the risk of further damage following a breach topped the concerns of a senior-level audience at an event hosted in New York last week by strategic communications agency Sard Verbinnen & Co. Experts with backgrounds in communications, legal and regulatory issues, discussed balancing legal and reputational risk. Your correspondent was honored to moderate the panel.

Communications in the aftermath of an incident isn’t limited to media statements from the company. It also incorporates internal communications among staff, executives and the board, between the company and regulators, and notifications to affected parties about the incident. Each of those relationships requires a nuanced approach that should be planned in advance.

Most larger companies, especially financial services institutions, are well-prepared from a post-incident communications perspective, due in particular to the regulations and examinations they must comply with, according to Judith Pinto, managing director at Promontory Financial Group. Having financial resources to hire legal and communications expertise in-house is a significant advantage, she said, but preparing in-house to handle crisis communication is critical.

“Taking the time to walk through and practice is the biggest differentiator we see,” said Ms. Pinto. “Successful firms conduct table-top exercises where a scenario is presented and participants make those decisions like ‘are we going to pay the ransom’.” One of the first things companies need to establish, she said, is ‘who is in charge?’

Scott Lindlaw, managing director and co-head of the cybersecurity and data privacy practice at Sard Verbinnen, said firms must treat cybersecurity incidents as crises of the highest magnitude.

According to Mr. Lindlaw, firms need to identify in advance the types of incident most likely to impact their business and prepare written communications plans for those situations. “Identify the audiences you need to communicate to after an incident’” he said, “and understand the company’s culture - how does the company communicate generally – through a blog or social media or something else? That then becomes the foundation for actual testing.”

As soon as an incident is declared, the company’s counsel will need to understand which data are affected, which regulators need to be informed in which order and in what timeframe.

However, Mr. Lindlaw said companies should not base breach disclosure decisions solely on their legal obligations. More companies are opting to disclose data incidents even when they are not legally required to, he said. Factors that may go into this decision are whether the company could protect customers by voluntarily announcing the incident, and whether the company’s brand is deeply associated with customer trust.

These legal and communications judgments are often complicated by limited information.

“I’m not a fan of plans that start out by classifying suspected incidents by ‘severity levels of low, medium and high’. You just don’t know – you may only be seeing the tip of the iceberg,” said Luke Dembosky, partner and co-chair of cybersecurity and data privacy practice at Debevoise & Plimpton. Mr. Dembosky said cross-functional incident response teams need to develop a “spidey-sense” to deal with potential data breach issues that aren’t black and white.

Mr. Dembosky recommends assembling a core, cross functional team to respond to incidents, including communications, legal, privacy, cybersecurity, IT, and risk. Routine incidents are handled according to standard operating procedures while non-routine incidents are either confirmed -- meaning they are understood -- or unconfirmed -- meaning the response team is working on establishing the nature of the incident.

Auxiliary team members with specific roles can be added to the core team depending on the incident type. For example, an investigation into a suspected insider would typically call for input from a senior manager from human resources.

“That core team is the central hub in briefing up to senior management, which is then empowered to brief the board,” said Mr. Dembosky.

Sabrina Ross, CEO of Inscape Privacy, said the challenge is to establish the facts quickly and ensure the investigation is protected with legal privilege. Legal privilege does not remove the obligation to disclose an incident, but does guard against certain internal communications about the incident being disclosed in any subsequent legal action.

Ms. Ross said having written breach response plans and exercising them demonstrates the company takes cybersecurity seriously: “It’s akin to an insurance policy. When regulators or the public come knocking, showing preparedness buys you a lot in the communications world and in the legal world.”

Mr. Dembosky summed up the importance of actually exercising written communications and legal plans in advance of attacks to see how they hold up under the intense pressure of an incident with a quote from former boxing champion Mike Tyson: “Everyone has a plan until they get punched in the mouth.”

Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors.

Advertisement

More From Dow Jones

Canadian Hacker Gets Five-Year Sentence Following 2014 Yahoo Breach

By Robert McMillan

Karim Baratov, a dual Canadian-Kazakh national, was sentenced to five years in prison Tuesday on charges related to the 2014 security breach at Yahoo. VICTOR J. BLUE/BLOOMBERG NEWS

A 23-year-old computer hacker was sentenced Tuesday to five years in prison over charges stemming from the massive 2014 security breach at Yahoo Inc., a campaign federal authorities have alleged was orchestrated by Russian spies.

Karim Baratov, a dual Canadian-Kazakh national, had pleaded guilty to computer-hacking charges. He was also fined $250,000.

Mr. Baratov is the only hacker convicted following a series of intrusions that led to the compromise of three billion user accounts at Yahoo, which since has been sold to Verizon Communications Inc.

In federal court Tuesday, prosecutors argued Mr. Baratov deserved a stricter 94-month sentence to deter further criminal collaboration with the Russian government. Mr. Baratov’s attorney, Andrew Mancilla, said the government was “trying to make an example” of his client.

“The last 14 months have been a very humbling and an eye-opening experience,” Mr. Baratov said ahead of his sentencing. “I did not know how much damage and trouble I had caused. There’s no excuse for my actions.”

Mr. Baratov wasn’t believed to have been involved in the Yahoo hack itself but was a hacker-for-hire used as part of a broader information-gathering operation tied to Russia, according to prosecutors.

His specialty was breaking into web-based email accounts, said Elvis Chan, a supervisory special agent with the Federal Bureau of Investigation.

“He was kind of a go-to guy because he was pretty reliable,” Mr. Chan said.

The hacker broke into more than 11,000 web email accounts between 2010 and 2017, according to federal authorities, who linked about 80 of these break-ins to the Yahoo hack.

Mr. Baratov was sentenced in San Francisco federal court by Judge Vince Chhabria.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

Are Huawei and ZTE a Real Cybersecurity Threat?

By Stu Woo

A manufacturer could easily disable telecom equipment that it made, but using the equipment to spy would be difficult. JOHN WEBER FOR THE WALL STREET JOURNAL

The U.S. government’s remarkable campaign against Huawei Technologies Co. and ZTE Corp., which has involved a series of actions aimed at limiting the Chinese manufacturers’ business in the U.S. and elsewhere, is rooted in a cybersecurity fear.

Huawei and ZTE are the world’s No. 1 and No. 4 makers of telecommunications equipment, such as the cellular-tower electronics that wireless carriers need. Washington worries that the Chinese government could order the companies to tap the products they make to spy, disable communications or launch other cyberattacks. Among other steps, the Trump administration has banned U.S. suppliers from selling components to ZTE, a move that could shut down the company, though U.S. and Chinese officials are negotiating a reprieve for ZTE.

Huawei and ZTE say the concerns about them are unfounded. But is the threat real?

Telecommunications cybersecurity experts say yes—with caveats. A manufacturer could easily disable telecom equipment that it made, but using the equipment to spy would be difficult. And any incursion would be quickly detected and would work only once.

How systems work

To better understand the risks, and their limitations, first consider how mobile-phone calls work. Suppose someone in Seattle uses a cellphone to call someone in Miami. After the caller dials, the phone connects to a nearby cellular tower. That tower is connected to wires, which are connected to a giant network of wires across America that zap the call to a cellular tower near the person in Miami. Then the tower will beam the call to that person’s phone.

Huawei and ZTE, along with Finland’s Nokia Corp. and Sweden’s Ericsson AB, are four major manufacturers of cellular-tower equipment. Typically, antennas on the tower are connected by wires to electronics in a shed at the tower’s base. Those electronics are basically computers with complex software that zap a call (or Google search or whatever people do on their mobile phones that use the internet) to the correct destination.

Not only do the electronics run on software with possibly millions of lines of code, but it is frequently updated by the manufacturer remotely, experts say. That makes it nearly impossible for a wireless carrier or a government to detect whether there is a “back door” that could allow the manufacturer to remotely switch off a tower’s electronics, or send data to somewhere it shouldn’t go.

“When you’re dealing with millions of lines of code, there’s always going to be a vulnerability,” says Darien Huss, a researcher at Sunnyvale, Calif.-based cybersecurity firm Proofpoint Inc. “A piece of code could look legitimate, but it could be a back door. There are a lot of ways to hide it.”

Inserting a back door that would allow a manufacturer to remotely shut off cellular-tower electronics, or all the related equipment, would be easy—and potentially devastating. Studies show it takes about five days to recover from an infrastructure cyberattack, says Simon Church, a general manager at Denver-based cybersecurity firm Optiv Security Inc. and a former security executive at Vodafone Group PLC, the British-based wireless carrier.

“The doomsday scenario is turning off network communications,” Mr. Church says. “You turn off traffic lights—that’s five days. You turn off the subway system—that’s five days.”

It would be much more difficult for a telecom-equipment manufacturer to spy. Most wireless carriers use sophisticated software that can automatically detect anomalous behavior, such as equipment that sends data to unexpected places. In addition, some organizations, such as the U.S. military, heavily encrypt their communications, so anyone who intercepts that data might find it indecipherable anyway.

Insider needed

“Getting data would be nearly impossible without a cooperating insider,” says David Mihelcic, a former Defense Department cybersecurity expert who is now federal chief technology and strategy officer for Juniper Networks Inc., which is based in Sunnyvale, Calif., and competes with Huawei and ZTE in the telecom-equipment market.

Given the sophisticated monitoring systems that wireless carriers and internet providers use, any cyberattack from a manufacturer that involves shutting down electronics or spying would be quickly detected, Mr. Mihelcic says. A wireless carrier could then patch the software on the equipment, to remove the back door. “Those are one-time weapons, and there would be political fallout, and maybe military fallout,” he says.

YVES HERMAN/REUTERS

In addition to telecom equipment, Washington also fears that Huawei and ZTE, which are also major smartphone manufacturers, could spy using those devices. That was the rationale behind the Pentagon ordering retail stores on military bases to stop selling Huawei and ZTE phones to troops who wanted to use them as personal phones. U.S. military leaders worried that smartphone manufacturers could, for example, track soldiers and decipher base operations, or see when soldiers attend off-base gatherings, according to people familiar with the matter.

Tapping into a smartphone is easier than infiltrating telecom equipment, which is in a secured and closed environment, experts say. Smartphone manufacturers own and frequently update the core software on their devices. “Could they have the capability that’s tapping into a call or recording a call?” says Kevin Riley, chief technology officer of Ribbon Communications Inc., a telecommunications-focused cybersecurity firm based in Westford, Mass. “Absolutely. They own that software.”

Evading detection

While a wireless carrier could easily detect whether a smartphone manufacturer is tapping every call and sending data to somewhere it shouldn’t go, it would be much harder to detect if the manufacturer only occasionally tapped a call, Mr. Riley says.

The other cybersecurity threat that mobile phones present is their manufacturer could turn them into weapons that could cripple a cellular network.

As Mr. Riley says, “You can weaponize a handset and turn it into a bot that generates a lot of traffic, so the cellular-tower equipment becomes massively congested.”

Mr. Woo is a reporter for The Wall Street Journal in London. He can be reached at stu.woo@wsj.com.

Advertisement

Editor's News Picks

How a Mexican Bank Stopped a $110 Million Heist. Hackers attempted to siphon more than $110 million from a state-owned bank in Mexico by stealing bank codes and disguising a fraudulent transaction as a donation from the bank to a Korean Church, Bloomberg reports. The January attack forced the firm, Bancomext, to suspend operations, shut down its email server, turn off desk phones and send some workers home until it identified where the unusual activity was coming from. The bank was able to stop the transfer before the money went through, according to Bloomberg. Experts consulted by Bancomext said the bank was likely infected after an employee clicked on a malicious email attachment, and sat undetected in the bank’s network for months until an attempt was made to transfer money to a private account.

Bitcoin Spinoff Manipulated in $18 Million Hack. Malicious actors were able to manipulate a cryptocurrency’s blockchain ledger and spend the same digital coins more than once, Fortune reports. The incident involved what’s known as a 51% hack, in which one person controls more than half of the mining power on a cryptocurrency network. It’s analogous to a fraudster obtaining access to the clearing records of a stock exchange and falsifying a series of share transfers, according to Fortune. The attack on the cryptocurrency, called Bitcoin Gold, involved about $18 million in stolen coins.

Credit Freezes Will Soon Be Free. A new law will make it free for consumers to place a security freeze on their credit files, The Washington Post reports. A freeze prevents a credit bureau from releasing any information in a person’s file without their permission, and costs up to $10 in some states for each part of the process. Security freezes are considered more potent than putting a fraud alert on a credit report, according to The Washington Post. The provision is part of a new bill that rolls back banking rules put in place after the 2008 financial crisis, and will go into effect in September.

Cyber Security