Slashdot Mirror

← Back to Stories (view on slashdot.org)

JP Morgan Chase Breach: Shades of a Cyber Cold War?

Posted by Soulskill on from the can't-we-all-just-get-cyberalong? dept.

TheRealHocusLocus writes: The New York Times is quoting "people briefed on the matter" who allege that the JP Morgan data thieves "are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government." The article suggests it could be retaliation for sanctions. Personally, I'm skeptical — I've seen the former Soviet Union evolve into an amazingly diverse culture that is well represented on the Internet. This culture has grown alongside our own and runs the gamut of characters: tirelessly brilliant open source software developers, lots of regular folk, and yes — even groups affiliated with organized crime syndicates. This is no surprise, and these exist in the U.S. too. Are we ready to go full-political on this computer security issue, worrying more about who did it than how to protect against it in the future? How do you Slashdotters feel about these growing "tensions," and what can we do to help bring some reason to the table? The article also notes that the same group responsible for the breach at JP Morgan Chase was responsible for attacks on 9 other financial institutions.

18 of 96 comments (clear)

  1. Betteridge's law of headlines by Anonymous Coward · · Score: 2, Insightful

    no

  2. Corporate Wars by JimSadler · · Score: 4, Interesting

    How long before we see corporations forming hacking groups off shore dedicated to destroying competition by breaching security and causing chaos? Causing chaos to a competitor is one way to steer profits towards a companies cash registers. Can't you see Burger King trying to wipe out McDonalds?

    1. Re:Corporate Wars by mlts · · Score: 2

      Here is the problem rearing up with two nasty heads:

      The first is that security has no ROI, and has a relatively trivial financial cost. A major breach happens, a company feeds a PR firm some cash, says they boosted security [1], they toss all affected a year's subscription to some monitoring service, and that is that. Come a lawsuit, there isn't much to sue because they can easily throw their hands up and say that the hackers would get through anything.

      Which brings up the second point. In the 1990s, a rogue Internet site could be pulled from the net. Now, doing that is tantamount to an act of war, similar to blockading a port with a naval force. So, no matter what, there is no shutting down blackhats. IP blocks can be worthless since it just takes a compromised computer to bypass them. So, eventually the bad guys will find a way in.

      Want an actual solution to the hacking problem? Banks need to create a separate network that uses dedicated physical links that is not connected to the Internet, and if it is, it is connected via application firewalls. Machines are keyed to only be able to connect with other boxes in a pre-arranged manner. If box "A" wants to connect to box "B", it needs to be registered beforehand, or the central switch fabric will deny it. Built into the fabric would be the ability for the central switching fabric to completely lock a box out at the L1 level, so a DoS is stopped.

      Yes, this sounds Draconian, and puts power into a central place... but this isn't the Internet we are looking at, but a private network between banks, banks and credit card processors, and other entities. With this in mind, the actual machine NICs could be made with tamper-resistant chipsets, public keys, and authorization can be done via a PKI system.

      Higher layers could be controlled by the individual institutions, so that even though L1/L2 traffic is handled by a central authority, application permissions can be controlled on a per machine basis with whitelists. That way, if the central authority is compromised, machines are still secured. Spoofing is protected, since public key fingerprints would be used as a part of a box's IP and stored on a HSM on the interface.

      This is nowhere near 100%, but what it means is that there is not just an open network for someone to go after a site. To access a bank, it would require a compromise of an extremely hardened CA and a L1 ISP (both the keys authorizing machines to communicate and the actual WAN switching fabric, which could be kept completely separate from each other.) If a breach happens, it can be fixed fairly rapidly, and a site failing to address it would be disconnected from the WAN.

      In general, not a 100% secure solution, but this gives three benefits. The network is separate, so for any mischief to occour, it require compromise of the core fabric. Then, individual hosts will have to be attacked, and with contract stipulations mandating a high level of security, this would be difficult. Finally, sites that are too lazy to keep current with security advisories would have their access pulled as part of being on this network.

      This is pretty much done with NIPRNet and SIPRNet, so why not a similar WAN mechanism for businesses and finance.

      [1]: The security "boost" could be another checkbox ticked off in a GPO object applied to the ass end of the company, so that passwords are needed to be changed every 60 days instead of every 90. Yep, a security boost.

  3. Worry less about motive - worry about apathy by QuasiSteve · · Score: 4, Interesting

    http://www.bloomberg.com/news/...

    tl;dr: People think it'll happen at other banks anyway, plus it costs money to change banks, thus they don't care enough and stick with Chase (JP Morgan).
    And, naturally, how does the stock market react to that? "The bankâ(TM)s shares climbed 2.5 percent to $60.30"

    Start making people care that a company they do business with has been hacked, maybe then people will actually bother to worry about motives.

    1. Re:Worry less about motive - worry about apathy by matthekc83 · · Score: 2

      I would like to be able to care less. We need to get the ssn to have a changable security pin attached to it. It looks like your information has been compromised sorry you will have to change your pin... darn.

  4. FUD. They don't even know. by Vokkyt · · Score: 4, Insightful

    From the article:

    "But much remains unanswered about the intrusion, including just who the hackers are, which other financial institutions were hit and why the hackers went down a path inside JPMorganâ(TM)s computer system that contained troves of customer information, but not financial data."

    They have no motive, no indication of who, or why they did what they did. I agree with posters saying that it's officials throwing out a red herring to get everyone worked up over Russia instead of poor security.

  5. Re:FUD. They don't even know. by crunchy_one · · Score: 3, Insightful

    Spot on comment. TFA also fails to name the 10 financial firms that were allegedly attacked. The New York Times seems to be rapidly morphing into a US version of Russia Today. If there's any new cold war, it's clearly a propaganda war. And guess what? I don't give a flying fuck.

  6. shades of incompetence actually... by Karmashock · · Score: 4, Insightful

    Secure your fucking networks or get off the internet.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  7. Re:FUD. They don't even know. by Archtech · · Score: 3, Interesting

    Very much like the utterly unsubstantiated claims that Russia had something to do with the shooting down of MH17. John Kerry said that there was a mountain of evidence, but so far not a single shred of evidence has been published by the US government. The Russians released a good deal of hard evidence, including radar traces and the locations of known BUK units. Basically, MH17 was shot down either by cannon fire from one or more fighters, or by a BUK SAM. The only fighters in the air that day were Ukrainian government planes, and while the rebels may have captured a BUK unit, it had no radar. However the Ukrainian military units near Donetsk had at least three BUK units, complete with radar and trained crews - one of which was in exactly the right place to have shot down MH17, given where it came down.

    So the Western media were flooded with "stenographic" reports and opinion echoing US government statements (almost word for word) and without any skepticism or investigative journalism. Although there has still been no evidence produced to incriminate Russia or the Ukrainian rebels, virtually all Westerners have been so heavily and repeatedly brainwashed with the certainty that Russia was responsible that they think they "know" it.

    Perhaps the recently revealed large and widespread payments made by the CIA to American media (and others) in return for the printing of CIA-written propaganda helps to explain many of these odd situations. And media corporations are all the more disposed to go along with the scam because their circulations are shrinking and they laying off journalists and editors left, right and centre. It's a double win: money for nothing, and masses of copy that has been written elsewhere. The only losers are any remaining readers who are foolish enough to believe what they read in the newspapers and what they hear on radio and TV.

    --
    I am sure that there are many other solipsists out there.
  8. Wagging the dog? by ErikTheRed · · Score: 4, Insightful

    "People briefed on the matter" generally equals "deliberate leak, to move public opinion or at least test the waters."

    --

    Help save the critically endangered Blue Iguana
  9. Propaganda by koan · · Score: 2

    Sounds like one of many smears to come up prior to some sort of "intervention" in Russia or just the usual "he said she said" crap our (and other) government/s are famous for.

    --
    "If any question why we died, Tell them because our fathers lied."
  10. Re:Can't be serious.. by koan · · Score: 2

    Then you're an idiot, that's reason for war.

    --
    "If any question why we died, Tell them because our fathers lied."
  11. Technology should be designed to be *secure* by Anonymous Coward · · Score: 5, Interesting

    And system administrators have to stop acting like implementing security is a bad idea, shouldn't happen, and won't work. You can argue that 'the business' always comes first no matter what. However that doesn't work if 'the business' puts security at risk. If your business is cloned by a foreign competitor your screwed, if your bank accounts drained your screwed, if you really think 'the business' always comes first your wrong. It highly depends on what the risks from being comprised are.

    I'm the CEO of a small technology company and I get that security is hard. Hell- I'm not even living up to my own high standards. However its hard to do that when *nobody* else is. Despite that I'm trying to put security first during our web site revamp (the most critical aspect of this company, if our security is hosed in a slow planned manor we'll never recover).

    One good example is the 'security' systems (two factor authentication) aren't even well thought out and are done such to be 'cheap' rather than effective. This will only stop the bottom feeders temporarily. It won't stop Russian organized crime from doing live intercepts via botnets to gain access to bank accounts and once the tools are sold to typical criminals the entire system is back in the hands of the criminals. I have nothing against the criminals, and considering that I'm the *primary victim* (100% of the shares, business owner here) when fraud happens I'm in a position where I should be more pissed than anyone (and it happens too often).

    But I'm not because the problem isn't the criminals. It's the lack of security and enablement by critical institutions (government and corporate). What I have a problem with is visa, master card, american express, the banks, and the government. They are not implementing the systems we actually need.

    1. True security, not halfway crap 'wireless WEP/WPA/WPA2', if your bank's site gets 'hacked' and a known vulnerability w patch exists at the time, then the bank should be shut down, assets seized, etc, none of this proprietary bull shit either. All defaults should be set to off or specifically added to a white list after approval only (on the client side, things like macros, etc).

    2. The systems should be built on hardware that there is source code for and audited. BIOS, firmware components, etc. Right now this doesn't even really exist unless we're talking about *a consumer router* or two. Some individual components may qualify as being pretty close to 100% free software friendly and source code available though.

    3. Calling a cell phone for authentication is NOT a security measure. It's merely a nuisance for the customer (particularly when the cookies make it such you can steal them and never actually have to authenticate via phone anyway). We need something closer to secure ID /w password (on the secure ID token itself). This would prevent the ability of a middle-man (or make it much more difficult) because the identification number revealed by the token to authenticate can only be used once and you can be confident that the person involved in accessing it did authorize it. Now it won't prevent some attacks where the system is compromised, but you can thwart unauthorized wire transfers by adding a screen that shows information to a wire transfer such that the user has to approve it on the device itself. This way the attacker could not simply show the user a different set of data than the one he authorized by entering the token number during authentication.

  12. Re:Russia not equal to USA by Anonymous Coward · · Score: 2, Funny

    When the leader of your country is connected to the mafia, declares himself leader and starts taking over other countries this is very much different from a country that has democratic elections and holds freedom as an ideal. I'm sure there are great people in Russia, but it is no united states.

    Are you describing President Obama and the United States of Amerika (now KKK) or President Putin and Russia (formerly part of the CCCP)? Any pretence of freedom in USA has long been exposed an a fallacy. Dear Leader Barack Hussein Obama is merely jealous that Putin wrestles with Siberian tigers, swims in icy waters, and does not bow and scrap to the Master of the Plantation.

  13. Curious reframing within a reframing . . . by sgt_doom · · Score: 3, Insightful

    . . . after all, JPMorgan Chase (Chase) is the largest criminal organization in America today, and together with Goldman Sachs, they effectively run and control the US Department of the Treasury, while existing as the major forces of the Federal Reserve Bank. If the Russian mob was attacking the American mob, it is really about the mobs, now isn't it?

  14. Ah yes, The Times by fustakrakich · · Score: 2

    The war mongering Randolph Hearst of the new century, and the old one.

    --
    “He’s not deformed, he’s just drunk!”
  15. I'm rooting for the Russians by Mister+Liberty · · Score: 3, Insightful

    I hate banks. So should you.

  16. Re:Russia not equal to USA by wiredlogic · · Score: 2

    You shouldn't delude yourself into thinking that the US has free elections or in any resembles a true democracy or republic. Just look at how almost all states ban non-party affiliated voters from participating in primaries even though they use public resources to collect those votes.

    --
    I am becoming gerund, destroyer of verbs.