Entry Point For JP Morgan Data Breach Has Been Identified; Lessons From The Sony Hack
The New York Times is reporting this morning (December 23, 2014) that “the computer breach at JP Morgan Chase [earlier] this summer — the largest intrusion of an American bank to date — might have been thwarted — if the bank had installed a simple security fix to an overlooked server in the firms vast IT network.” Citing anonymous sources familiar with both the JP Morgan Chase internal and external investigations, “the weak spot appears to have been a very basic one. The attack began last spring, after hackers stole the login credentials for a JP Morgan employee,” but, even then the hack could have been stopped there, the paper noted. Most banks use a double authentication scheme — known as two-factor authentication, which requires a second, one-time password to gain access to a protected system. But, JP Morgan’s security team had apparently neglected to upgrade one of its network servers, with the dual password scheme– that left the bank vulnerable to intrusion,” the paper said. “This oversight, is now the focus of an internal review at JP Morgan…that seeks to identify whether there are any other unguarded holes,” in the bank’s IT ecosystem — and that these revelations are very embarrassing to the firm.
“The relatively simple nature of the attack — some details of which have not previously been reported — puts the breach in a new light,” the New York Times asserts. “In August, when Bloomberg News first reported on the breach — which ultimately compromised some account information for 83M households and small businesses, the bank’s security experts and the FBI feared a sophisticated adversary,” with much of the speculation centering on Russia — as retaliation for economic sanctions which had been imposed against Moscow for its actions with respect to the Crimea and Ukraine. By mid-October, however,” the paper said, “that theory began to fray; and, the FBI officially ruled out the Russian government as a culprit.”
“It is still not known where the attack originated,” the paper noted.
“In the aftermath of the breach,” the firm has set up “a business control group,” of about a dozen technology and cyber security executives — to assess the fallout; and, take appropriate measures to “prevent” hackers from breaching its network in the future,” — at least by the methods and techniques used in the August breach. “The revelation that a simple flaw was at issue, may help explain why several other financial institutions — that were targets of the same hackers — were ultimately not affected as much as JP Morgan Chase. What is clear,” the Times noted. “is JP Morgan’s attack did not involve the use of a so-called “zero-day attack,” — the kind of sophisticated, completely novel software bug that can sell for a million dollars on the black market. Nor, did the hackers use the kind of destructive malware that government officials say hackers in North Korea used to sabotage data at Sony Pictures.”
“Nonetheless, once inside JP Morgan — hackers did manage to gain high-level access to more than 90 bank servers, but were caught before the could retrieve private customers’ financial information,” according to sources the Times spoke to. NSA, which normally doesn’t get involved in most cyber attacks on private companies — have been working with JP Morgan because the bank particularly given its size, is considered part of the nation’s “critical infrastructure,” the Times noted.
The Times said “it isn’t clear why the vulnerability in the bank’s network had gone unaddressed previously. A large part of the problem, [cyber] security experts say, is that it has become nearly impossible for banks of JP Morgan’s size to secure their networks, particularly as they integrate the networks of companies they acquire, and merge with their own.
Lessons From The Sony Hack
John Lenczowski, Founder, President, and Professor at the Institute of World Politics, and a former White House Advisor on Soviet Affairs for POTUS Reagan (1983-1987), had an Op-Ed in the December 19, 2014 Washington Times, wrote that “this attack reveals that the very innovations that give us our competitive edge in the world, both commercially and strategically, are gravely at risk. In November,” he writes, “the Pentagon announced the Defense Innovation Initiative, which is designed to promote fresh thinking about how we can maintain our military superiority– through technological innovation, despite tighter budgets and corrosive effects of two long wars. Unfortunately,” he warns, “this strategy will fail, unless both government and business place higher priorities on technology security policy and counterintelligence. Two of our adversaries are stealing our technology at levels that exceed those of the Cold War. China in particular,” he contends, “is using commerce as a cover for massive espionage, the fruits of which are deployed with amazing efficiency in the greatest military buildup on the face of the earth — a buildup consistently underestimated by our government.”
“Simultaneously, Russian industrial espionage continues at enormous levels, fueling Moscow’s military buildup.”
“So long as this situation is not reversed, technological innovations contemplated by this administration’s initiative may even be found incorporated in Chinese, or Russian weapons systems — before they are adopted in our own,” Mr. Lenczowski warns. What we used to call “the great steal ahead,” during my time in the U.S. Intelligence Community. “Reversing this situation,” he argues, “requires a serious technology security program, and the strengthening of U.S. counterintelligence. This is not simply government’s responsibility; it will require the [active] involvement of American business.”
“Counterintelligence, one of the most challenging arts of statecraft, should be among the highest national priorities for the United States,” Mr. Lenczowski pleads, “Fortunately,” he writes, “there is a ray of hope here. Director of National Intelligence James Clapper is setting up a National Counterintelligence and Security Center, that will combine operations, analysis, and technological capabilities into one organization.”
I could not agree more, and I suspect that the level of sophistication, complexity, and scope of active denial and deception programs with respect to the Internet — is much more profound and insidious than we currently believe and understand. The Internet of Things is becoming — The Internet of Threats — and, more and more nation states and criminal enterprises are gaining the skillset and talent needed to do some very nasty things to countries such as the United States — which is network dependent — as opposed to network enabled. V/R, RCP