
JPMorgan Discovers Further Cyber Security Issues - panarky
http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/
======
opendais
Is anyone really surprised?

IT Security is a cost center and, honestly, the damage from this hack (money
wise) to JP Morgan is likely less than the cost of better security.

Also, the larger the payoff ... the more effort people will put into the
attack. No IT system is 100% secure unless its been shredded. Even a no-
network PC in a vault is still vulnerable to a vault door breach.

~~~
_asummers
Chase has a "feature" where their passwords don't allow special characters and
ignore upper/lowercase, at least on their mobile app. I'm not surprised other
things are amiss.

~~~
opendais
Ya. It isn't really excusable.

------
morpher
"In the filing, JPMorgan said there was no evidence that account information,
including passwords or Social Security numbers, were taken."

I wonder what was actually "compromised" about the 76 million accounts if not
account information.

~~~
opendais
Read the filing:

User contact information – name, address, phone number and email address – and
internal JPMorgan Chase information relating to such users have been
compromised.

The compromised data impacts approximately 76 million households and 7 million
small businesses.

However, there is no evidence that account information for such affected
customers – account numbers, passwords, user IDs, dates of birth or Social
Security numbers – was compromised during this attack.

[http://www.sec.gov/Archives/edgar/data/19617/000119312514362...](http://www.sec.gov/Archives/edgar/data/19617/000119312514362173/d799478d8k.htm)

~~~
ardila
"However, there is no evidence that account information for such affected
customers – account numbers, passwords, user IDs, dates of birth or Social
Security numbers – was compromised during this attack."

Perhaps someone who has more experience with security and system
administration can answer this: If you get root access to a system (as
mentioned in the original article), isn't it fairly easy to make it nearly
impossible to find evidence that any particular piece of information has been
compromised?

It's funny that this wording (there is no evidence) should be used. I don't
know if JPMorgan can confidently assert that this information has not been
compromised, yet when stated this way it sounds like they are.

~~~
heroprotagonist
There is security software which can restrict even root access to files. One
such example is CA ControlMinder.

It can protect files/programs/processes at the kernel level and redirect
authorization attempts through its own authorization engine and then back
through the original syscall (if permitted). So, you shouldn't, but you could
chmod a file to have world-read/world-write access and then set default access
to the file to 'none' via this authorization engine and it would still be
inaccessible to all users (even root).

You can form more granular controls, such as 'this file can only be accessed
by the process launched by program with device/inode xx/yy', and 'this program
cannot be launched if any of these 8 attribute checks show as being
modified'..

By the same interception mechanism, auditing can be performed which records
when specified files are accessed, by whom, and which server they had
originally connected from when they did it. An audit only mode can simply
monitor activity without performing any denials. Add in a keylogger that
targets terminals of specific users, or just specific surrogate accounts (eg,
when any user su's to root) and you can get a closer inspection of all
activity performed (and not just activity to specific protected
files/resources).

So, it's possible to tell what's been compromised, but one would need to be
running such security software and have it properly configured for auditing
the right resources. This isn't a trivial task to perform across environments
with tens of thousands of servers.

------
zabalmendi
JPMorgan Password Said to Lead Hackers to 76 Million Homes

    
    
         Oct. 3 (Bloomberg) -- Hackers exploited an employee password to crack a JPMorgan Chase & Co. server and ultimately pull off one of the largest cyber-attacks ever, accessing data on 76 million households and 7 million small businesses.
    

[http://www.bloomberg.com/news/2014-10-03/jpmorgan-
password-s...](http://www.bloomberg.com/news/2014-10-03/jpmorgan-password-
said-to-lead-hackers-to-76-million-households.html)

------
sixpenrose16
This is interesting: "made off with a list of the applications and programs
that run on every standard JPMorgan computer". That would mean source codes of
the applications?

~~~
dragonwriter
I would not infer that the "list of the applications and programs" would mean
the "source code of the applications".

I would assume its _literally_ what it says, the lists most big orgs maintain
of their standard system configuration(s).

~~~
IbJacked
I wouldn't assume that at all. They say "a list of the applications and
programs", not "program listing...". In this case, it reads to me as just
that, a list, such as Word xx.xx, Outlook xx.xx, girlfriend 2.0, ms-dos 5.5,
etc.

~~~
dragonwriter
That's what I meant (see the second sentence). The first sentence of my post
was, however, originally missing a "not" (now added), so I see the confusion.

------
enik
Title is inaccurate. The only thing new here is the press release stating the
# of records compromised. This doesn't really constitute "further" breach.

