IT Security is a cost center and, honestly, the damage from this hack (money wise) to JP Morgan is likely less than the cost of better security.
Also, the larger the payoff ... the more effort people will put into the attack. No IT system is 100% secure unless its been shredded. Even a no-network PC in a vault is still vulnerable to a vault door breach.
Chase has a "feature" where their passwords don't allow special characters and ignore upper/lowercase, at least on their mobile app. I'm not surprised other things are amiss.
User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.
The compromised data impacts approximately 76 million households and 7 million small businesses.
However, there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.
"However, there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack."
Perhaps someone who has more experience with security and system administration can answer this: If you get root access to a system (as mentioned in the original article), isn't it fairly easy to make it nearly impossible to find evidence that any particular piece of information has been compromised?
It's funny that this wording (there is no evidence) should be used. I don't know if JPMorgan can confidently assert that this information has not been compromised, yet when stated this way it sounds like they are.
There is security software which can restrict even root access to files. One such example is CA ControlMinder.
It can protect files/programs/processes at the kernel level and redirect authorization attempts through its own authorization engine and then back through the original syscall (if permitted). So, you shouldn't, but you could chmod a file to have world-read/world-write access and then set default access to the file to 'none' via this authorization engine and it would still be inaccessible to all users (even root).
You can form more granular controls, such as 'this file can only be accessed by the process launched by program with device/inode xx/yy', and 'this program cannot be launched if any of these 8 attribute checks show as being modified'..
By the same interception mechanism, auditing can be performed which records when specified files are accessed, by whom, and which server they had originally connected from when they did it. An audit only mode can simply monitor activity without performing any denials. Add in a keylogger that targets terminals of specific users, or just specific surrogate accounts (eg, when any user su's to root) and you can get a closer inspection of all activity performed (and not just activity to specific protected files/resources).
So, it's possible to tell what's been compromised, but one would need to be running such security software and have it properly configured for auditing the right resources. This isn't a trivial task to perform across environments with tens of thousands of servers.
A business like JPMorgan will have a large number of systems, with different segments of their data copied around, synchronized (sometimes poorly), partial data dumps to the marketing department, etc. I imagine that the systems containing sensitive data were better protected than the ones that are known to be compromised, with no known vector of attack from the compromised system to the one containing the information.
For example, at a small financial institution where I worked we had a mainframe doing the important financial calculations, and then we had a bunch more data in MySQL for doing reporting and analysis.
> isn't it fairly easy to make it nearly impossible to find evidence that any particular piece of information has been compromised?
This is where digital forensics comes in. Just because an attacker has root or admin access doesn't mean all indicators of a compromise can be cleaned up.
Theoretically yes, but practically no, especially if the breach is discovered within at least a few weeks of it happening. If you're looking at it 6 months later, it may be a different story.
JPMorgan Password Said to Lead Hackers to 76 Million Homes
Oct. 3 (Bloomberg) -- Hackers exploited an employee password to crack a JPMorgan Chase & Co. server and ultimately pull off one of the largest cyber-attacks ever, accessing data on 76 million households and 7 million small businesses.
This is interesting: "made off with a list of the applications and programs that run on every standard JPMorgan computer". That would mean source codes of the applications?
No, more likely just the image of the standard build. I don't have source for most of the software on my Windows machine, for example. while I don't know what sort of platform they use at JPM, if its anything like bespoke platforms I've seen at other financial institutions such as Merill Lynch, end users only have binaries.
If they actually have all the source code that would be a pretty horrendous risk factor (not that my scenario is so great). We're getting into too-big-to-fail territory here; I really wonder if it's time regulators went beyond swingeing fines and actually revoked a bank's charter.
I wouldn't assume that at all. They say "a list of the applications and programs", not "program listing...". In this case, it reads to me as just that, a list, such as Word xx.xx, Outlook xx.xx, girlfriend 2.0, ms-dos 5.5, etc.
That's what I meant (see the second sentence). The first sentence of my post was, however, originally missing a "not" (now added), so I see the confusion.
Title is inaccurate. The only thing new here is the press release stating the # of records compromised. This doesn't really constitute "further" breach.
IT Security is a cost center and, honestly, the damage from this hack (money wise) to JP Morgan is likely less than the cost of better security.
Also, the larger the payoff ... the more effort people will put into the attack. No IT system is 100% secure unless its been shredded. Even a no-network PC in a vault is still vulnerable to a vault door breach.