(Reuters) – Twitter Inc unveiled technology to boost security for its users, following a spate of attacks on accounts of prominent media outlets including the Associated Press, the Financial Times and The Onion.

The micro blogging site, which transmits some 400 million messages a day, said on Wednesday that it had begun rolling out an optional “login verification” service to thwart hackers seeking to hijack accounts with stolen passwords.

Security experts welcomed the move as a positive step toward securing a service that is widely used by consumers, political activists, advertisers and news outlets around the globe to quickly exchange information.

Twitter had come under fire over the past year for failing to offer such an option, which is known as two-factor authentication, amid a surge in breaches of high-profile accounts. That criticism intensified in April after a fake tweet about a non-existent White House explosion sent from the Associated Press account briefly roiled U.S. financial markets.

“It’s been a long time coming,” said Jeremiah Grossman, chief technology officer of White Hat Security. “It’s not going to solve all problem, but it’s a step in the right direction.”

When users log in to Twitter via a web browser, they must confirm their identity by entering a six-digit code that Twitter delivers to their smartphones. To access the service through applications for PCs and smartphones, users must use an automatically generated temporary password for each of the programs.

Twitter described the offering in a blog post, reminding users that they still need to use strong passwords to keep accounts secure.

The approach is similar to security tools previously introduced by other Internet services from companies including Facebook Inc, Google Inc and Microsoft Corp.

“This would have made the AP hack and other hacks against Twitter more difficult to accomplish,” said Jeffrey Carr, CEO of cyber security firm Taia Global Inc.

Yet he added that hackers looking to break into corporate accounts will still be able to do so if they can take control of PCs or smartphones running applications authorized to use the service.

“Two-factor authentication isn’t perfect,” Carr said. “If you own the machine, it really doesn’t matter.”

(Reporting by Jim Finkle; Editing by Phil Berlowitz)

A hacking expert who helps companies uncover network
vulnerabilities, Moore said he found the sensors last month
while analyzing information in huge, publicly available
databases of Internet-connected devices.

“We know that systems are exposed and vulnerable. We don’t
know what the impact would be if somebody actually tried to
exploit them,” said Moore, chief research officer at the
security firm Rapid7.

U.S. national security experts used to take comfort in the
belief that “rational” super powers like China or Russia were
their main adversaries in cyber space. These countries may have
the ability to destroy critical U.S. infrastructure with the
click of a mouse, but they are unlikely to do so, in part
because they fear Washington would retaliate.

Now, concerns are growing that “irrational” cyber actors -
such as extremist groups, rogue nations or hacker activists -
are infiltrating U.S. systems to hunt for security gaps like the
one uncovered by Moore. These adversaries may not be as
resourceful, but like Timothy McVeigh’s bombing of an Oklahoma
federal building in 1995, it is the element of surprise that is
as concerning.

Former U.S. Homeland Security Secretary Michael Chertoff
said he was worried the first destructive cyber attack on U.S.
soil might resemble the Boston Marathon bombings in the sense
that the suspects were not on the government’s radar.

“You are going to get relatively modest-scale, impact
attacks from all kinds of folks – hactivists, criminals,
whatever,” Chertoff said at the Reuters Cybersecurity Summit
last week. “Are they going to take down critical infrastructure?
They might.”

Emerging cyber actors that security experts say they are
most concerned about include Iran, believed to be behind the
ongoing assaults on U.S. banking websites, as
well as a devastating attack on some 30,000 PCs at Saudi
Arabia’s national oil company last year.

North Korea is also quickly gaining cyber skills, experts
say, after hackers took down three South Korean broadcasters and
two major banks in March.

Another emerging actor is the Syrian Electronic Army, an
activist group that has claimed responsibility for hacking the
Twitter accounts of major Western media outlets, such as the
Associated Press last month, when its hackers sent a fake tweet
about explosions at the White House that briefly sent U.S.
stocks plunging.

UNRELENTING ATTACKS

The U.S. power grid is the target of daily attempted cyber
attacks, according to a report by California Representative
Henry Waxman and Massachusetts Representative Ed Markey released
at the House Energy and Commerce Committee’s cybersecurity
hearing on Tuesday.

More than a dozen utilities report daily, constant or
frequent attempted attacks, ranging from unfriendly probes to
malware infection, according to the report. (To read the report,
see)

Gerry Cauley, chief executive of the North American Electric
Reliability Corp, told the Reuters Cybersecurity Summit that
computer viruses have been found in the power grid that could be
used to deliver malicious software to damage plants. NERC is a
non-profit agency that oversees and ensures the reliability of
bulk power system in the region.

Experts say that with so many unknown hackers trying to
infiltrate U.S. industrial control systems, they fear someone
somewhere – perhaps even an amateur – will intentionally or
unintentionally cause damage to power generators, chemical
plants, dams or other critical infrastructure.

“Even if you don’t know how things actually work, you can
still wreak havoc by crashing a device,” said Ruben Santamarta,
a senior security consultant with IOActive. “Probably in the
near future we may face an incident of this type, where the
attackers will not even know what they are doing.”

Santamarta has identified hundreds of Internet-facing
control systems — on the grid, at water treatment facilities
and heating and ventilation systems for buildings including
hospitals. He has also uncovered bugs built into industrial
control equipment.

The Department of Homeland Security’s Industrial Control
Systems Cyber Emergency Response Team, known as ICS-CERT, last
week warned of a flaw that Santamarta found in equipment from
Germany’s TURCK, which is used by manufacturers and agriculture
firms in the United States, Europe and Asia.

The agency said attackers with “low” hacking skills could
exploit the flaw, letting them remotely halt industrial
processes. It advised customers to install a patch that would
protect them against such attacks.

Director of National Intelligence James Clapper told a
Senate committee in March that “less advanced, but highly
motivated actors” could access some poorly protected control
systems. They might cause “significant” damage, he warned, due
to unexpected system configurations, mistakes and spillovers
that could occur between nodes in networks.

‘A MATTER OF TIME’

ICS-CERT posts dozens of alerts and advisories about
vulnerabilities in industrial control systems on its website
each year. Companies whose products were named in their alerts
include General Electric Co, Honeywell International Inc
, Rockwell Automation Inc, Schneider Electric SA
and Siemens AG.

Dale Peterson, CEO of industrial controls systems security
firm Digital Bond, said infrastructure control systems are
highly vulnerable to cyber attacks because designers did not
take security into consideration when they developed the
technology.

While hackers have yet to launch a destructive attack on
U.S. infrastructure, plenty have the skills to do so. “I would
say it is only because no one has wanted to do it,” said
Peterson, who began his career as a code breaker with the
National Security Agency.

House Intelligence Committee Chairman Mike Rogers said
terrorists are among the groups looking to acquire the
capability to launch a cyber attack on U.S. infrastructure, but
he believes they do not yet have that ability.

“You get the right person with the right capability
committed to this and it’s a game changer,” Rogers told the
Summit. “My concern is it’s just a matter of time.’

Eric Cornelius, a former ICS-CERT official, said that
operators in critical sectors including power, water, oil and
gas sometimes do not implement security fixes recommended by
equipment and software manufacturers in a timely manner because
they need to take plants off line to do so and cannot afford the
downtime.

Some plants lack sufficient security staff and technology to
protect networks because they don’t have adequate funds, said
Cornelius, director of critical infrastructure for Cylance Inc.

A relatively unsophisticated hacker whose goal was to probe
a network could unintentionally damage a system because aging
networks are fragile and extremely sensitive, he said.

“That leaves these control systems insecure,” he said.

California Representative Henry Waxman released the report,
co-authored with Massachusetts Representative Ed Markey, at the
House Energy and Commerce Committee’s cybersecurity hearing on
Tuesday.

The pair asked some 160 utilities to describe their
experiences fighting cyber attacks over the past five years. In
response, more than a dozen said they experienced daily,
constant or frequent attempted cyber attacks, according to a
35-page report summarizing their responses.

(To read the report, see r.reuters.com/sej38t)

But utilities termed the report as overblown, saying their
systems were adequately protected through mandatory standards
set by the North American Electric Reliability Corp (NERC) that
ensure separation of control systems and consumer-facing or
administrative networks.

“The majority of those attacks, while large in number, are
the same attacks that every business receives” through
web-connected networks, Arkansas Electric Cooperative
Corporation Chief Executive Duane Highley told the hearing.

“Those are very routine kinds of attacks and we know very
well how to protect against those…Our control systems are not
vulnerable to attack,” he told Reuters after the hearing, saying
current NERC standards make it illegal to interconnect the
public-facing networks and the control centers.

But many lawmakers echoed some senior White House officials
in expressing fear that while they do not know of any successful
attack on the power grid, hackers may have that ability.

Senior Obama administration officials began warning late
last year that foreign enemies are looking to sabotage the U.S.
power grid, air traffic control systems, financial institutions
and other infrastructure.

Last week, NERC Chief Executive Officer Gerry Cauley told
the Reuters Cybersecurity Summit that there has never been a
destructive cyber attack on the grid, mostly probes and spying
malicious software and that he worried more about physical
attacks on the power grid than cyber ones.

Tuesday’s report cited an unidentified Northeastern power
provider as saying it was under constant attack from cyber
criminals as well as activist groups who have been targeting
firms in the energy sector over the past few years.

A power provider from the Midwest said it experienced daily
probes of its systems: “Much of this activity is automated and
dynamic in nature, able to adapt to what is discovered during
its probing process,” the company said.

Markey is running for U.S. Senate in Massachusetts against
Republican Gabriel Gomez, seeking the seat vacated by John
Kerry, now U.S. Secretary of State.

This year, the House has also passed a cybersecurity bill
meant to ease the sharing of data between the government and the
private sector, despite the threat of veto by President Barack
Obama over privacy concerns. The Senate is working on its own
version of the bill.

Highley welcomed the work toward an industry-led solution
and better communication with the government, but pleaded with
the legislators that “NERC has it covered. Please don’t mess
up.”

“We’re all about reliability. We don’t want to have lights
going out anymore than anybody else does,” he told Reuters.

(Reporting by Jim Finkle in Boston and Alina Selyukh in
Washington; Editing by Ros Krasny, Phil Berlowitz and Leslie
Gevirtz)

The Syrian Electronic Army, an online group that supports
Syrian President Bashar al-Assad, was behind the incident which
followed a phishing attack on the company’s email accounts, FT
reported on its website.

The attack is the latest in which hackers commandeered the
Twitter account of a prominent news organization to push their
agenda. Twitter’s 200 million users worldwide send out more than
400 million tweets a day, making it a potent distributor of
news.

“Twitter has become a big enough media outlet that they
should provide better security for high-value accounts like the
Associated Press, the FT and others,” said Mikko Hypponen, chief
research officer with security software maker F-Secure.

Several attempts to reach Twitter for comment were
unsuccessful. The company’s media relations team made no mention
of the attack on its own Twitter feed.

Last month, the Syrian Electronic Army took control of the
Associated Press’ official Twitter feed and sent out a bogus
message that two explosions at the While House injured President
Obama. The false tweet triggered a brief but steep sell-off in
the U.S. financial markets.

That followed a spate of attacks in the past year by the
group on Twitter accounts of other media organizations,
including the BBC, National Public Radio, CBS, Reuters News and
the satirical news website The Onion.

Over the past few years security experts have become
increasingly vocal in calling for Twitter to introduce an
additional safety measure, a two-step process to log in, that
would help reduce breaches.

This type of authentication has long been used by
governments and big corporations and in recent years some
consumer Internet companies like Facebook Inc, Google Inc
and Microsoft Corp have embraced it.

“You can get two-factor authentication for World of
Warcraft, but you can’t get it for Twitter. Go figure,” Hypponen
said, referring to the popular video game.

EXECUTION VIDEOS

In Friday’s hacking of the FT, the Syrian Electronic Army -
which regularly targets media organizations it sees as
sympathetic to Syria’s rebels – posted links on the newspaper’s
Twitter feed to YouTube.

The video purports to show members of the al Qaeda-linked
Nusra Front Syrian rebel group executing blindfolded and
kneeling members of the Syrian army.

The video could not be independently verified.

“Today various FT Twitter accounts and one FT blog (not more
as previously stated) were compromised by hackers. We have now
secured those accounts are working to resolve the issue as
quickly as possible,” the FT, owned by Pearson Plc,
said in an updated statement.

Stories on the FT’s website had their headlines replaced by
“Hacked By Syrian Electronic Army” and messages on its Twitter
feed read: “Do you want to know the reality of the Syrian
‘Rebels?’” followed by a link to the video.

The FT’s feeds dedicated to technology and commodities were
among those affected.

Also on Friday, the Kyodo news agency reported that Yahoo
Japan suspects up to 22 million of its 200 million user IDs may
have been leaked. Kyodo said Yahoo Japan also detected an
unauthorized attempt to access the administrative systems of its
web portal.

Kaspersky makes one of the top-selling anti-virus programs in the United States, where it has gained market share in recent years against products from Symantec Corp (SYMC.O: Quote, Profile, Research, Stock Buzz), Intel Corp’s (INTC.O: Quote, Profile, Research, Stock Buzz) McAfee and Trend Micro Inc (4704.T: Quote, Profile, Research, Stock Buzz).

Yet the Moscow-headquartered company has struggled to make inroads with the U.S. government, one of the world’s largest buyers of technology products. Security experts say that the U.S. government typically avoids Russian products out of concern they could have hidden functions that might allow Moscow to penetrate U.S. networks.

Eugene Kaspersky, the company’s co-founder and chief executive officer, told the Reuters Cybersecurity Summit that his programs have no such hidden functions. But he said he will build products aimed at the U.S. market in the United States, to assuage any concerns.

“American companies are 100 percent trusted, so we have to prove we are 200 percent trusted,” Kaspersky said. “We have to be more American than Americans.”

Kaspersky said he will hire U.S. citizens to work in the new office and write, test and compile computer programs.

The company already has a regional headquarters in Woburn, Massachusetts, and an anti-virus lab in Seattle, but does not produce software in the United States.

The new U.S. team will work on an operating system for computers that control electric generators, water systems, factories and other industrial facilities.

Kaspersky said the company is almost ready to test an early version in Russia. He said he hopes the industrial control software will one day account for about a third of its sales.

As global sales of personal computers decline, Kaspersky Lab wants to diversify its portfolio away from PC anti-virus software. Last year global PC sales posted their biggest decline in more than two decades, hurt by a shift to tablets and smartphones.

Kaspersky said falling consumer sales in 2012 crimped overall revenue growth but did not elaborate. The company still has positive revenue growth when sales to businesses are included “but it’s a little bit close to flat,” he said.

Revenue grew 14 percent in 2011 to $612 million.

(Follow Reuters Summits on Twitter @Reuters_Summits)

(Editing by Ros Krasny and Mohammad Zargham)

“It takes a small number of crews with explosives and you’ve created not only an outage over an area or a city, but smoke and fire and flash-type stuff,” Gerry Cauley, chief executive of the North American Electric Reliability Corp (NERC), told the Reuters Cybersecurity Summit.

“It’s much more complicated, it’s much more technically difficult” to destroy equipment virtually, he said.

NERC is a non-profit agency whose mission is to oversee and ensure the reliability of the bulk power system in the United States, Canada and parts of Mexico. It brings together members of the industry, including municipalities, utilities, power producers and transmission operators.

The U.S. public became more aware of cyber threats against critical infrastructure after President Barack Obama said at the State of the Union address in February that enemies are “seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”

Cauley said that while hackers have used computer viruses to spy on electric plants and steal documents, NERC members have yet to find malicious software in their networks that is capable of causing physical damage to a plant.

“You hear a lot of that in this city (Washington), to be frank, that we’re the bullseye,” he told the summit held at Reuters’ Washington offices. “But I don’t think we’re the bullseye yet.”

Cauley, a lead investigator of the wide-ranging U.S. Northeast blackout in 2003, pointed to an incident in San Jose, California, on April 16 as an example of physical threats.

In that case, an unknown person or persons fired a high-powered rifle at electric transformers owned by PG&E Corp’s (PCG.N: Quote, Profile, Research, Stock Buzz) Pacific Gas and Electric utility, prompting requests for residents to conserve power. Vandals also cut nearby underground fiber optic cables, disrupting telephone service, in an apparently related incident.

“We don’t do ourselves a favor if we only concentrate on cyber. Physical security is a concern for us as well,” Cauley said.

About 20 percent of NERC’s budget goes to security, of which 80 percent is spent on cyber, he said. But he called the attempts to virtually hack into the power systems “not that overwhelming.”

“Anyone who is smart enough to do those kinds of things has better things to do than shut the lights out,” Cauley said.

(Follow Reuters Summits on Twitter @Reuters_Summits)

(Editing by Ros Krasny and Philip Barbara)