Friday, October 03, 2014

I hope they didn't do this just because I need a good “bad example” for my Intro to Computer Security class.
JPMorgan Chase Says More Than 76 Million Households Were Compromised in Cyberattack
A cyberattack this summer on JPMorgan Chase compromised more than 76 million household accounts and seven million small-business accounts, making it among the largest corporate hacks ever discovered.
The latest revelations, which were disclosed in a regulatory filing on Thursday, vastly dwarf earlier estimates that hackers had gained access to roughly one million customer accounts.
The new details about the extent of the cyberattack — which began in June but was not discovered until July — sent JPMorgan scrambling for the second time in just three months to contain the fallout.
… Hackers were able to burrow deep into JPMorgan’s computer systems, accessing the accounts of more than 90 servers — a breach that underscores just how vulnerable the global financial system is to cybercrime.
… Investigators in law enforcement remain puzzled by the attack on the bank because there was no evidence that the attackers looted any customer money from accounts.
The lack of any apparent profit motive has generated speculation among law enforcement officials and security experts that the hackers were sponsored by foreign governments either in Russia or in southern Europe.
It is still not clear how hackers managed to gain deep access to the bank’s computer network. By the time the bank’s security team discovered the breach in late July, hackers had already gained the highest level of administrative privilege to more than 90 of the bank’s computer servers, according to several people briefed on the results of the bank’s forensics investigation who were not allowed to discuss it publicly.
… More disturbing still, these people say, hackers made off with a list of the applications and programs that run on every standard JPMorgan computer– a hacker’s road map of sorts — which hackers could cross check with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems.

(Related)
JPMorgan cyberattack largest ever bank hack
… That would make it the biggest single data breach hack since 130 million credit and debit card details were stolen from Heartland Payment Systems in 2007.

(Related) Perhaps they need better advisors?
Well, I nearly trashed this email as spam because the sender showed as “Gregory Quental,” with a subject line “Important update on cyber security.” I’m glad I looked at it, though, as it was a message from JPMorgan about their breach:
As you may know, Chase recently was the victim of a sophisticated cyber attack. Since then, we have been conducting a comprehensive investigation of the incident and have found no evidence that client account information was compromised.
Our detailed review has found no evidence that account numbers, passwords, dates of birth and Social Security numbers were compromised. We therefore do not believe you need to take any action related to your account. The information that was compromised was contact information — names, addresses, phone numbers and email addresses for users of Chase.com, J.P. Morgan Online, Chase Mobile and J.P. Morgan Mobile, as well as internal JPMorgan Chase information relating to such users.
We want to assure you that we take this incident very seriously, and have no evidence that the attackers are still in our systems. These kinds of attacks are frequent, and while this one was sophisticated, we stopped it and continue to invest in preventing future attacks. It is important to note that we have not seen any unusual fraud activity across all of our accounts, and you are not liable for any unauthorized transactions on your account that you promptly alert us to.
We regret this incident happened. As always, your J.P. Morgan advisor and client service team are available to discuss any questions or concerns.
Sincerely,
Gregory Quental
Chief Executive Officer
J.P. Morgan Securities


Best Practices?
When Community Health Systems revealed it had been breached earlier this year, a spotlight was placed on cybersecurity in the healthcare industry, and the diagnosis was not good.
In that case, patient records for some 4.5 million people were exposed by hackers. The situation added Community Health Systems to the list of organizations impacted by security incidents, and sparked discussions about the importance of information sharing within the industry and between companies and the government.
Based on his experience consulting with healthcare organizations, Michael Wojcik, senior manager with Ernst & Young, noticed patterns among organizations that contribute to security failings, and at the (ISC)2 Security Congress in Atlanta this week outlined the five most common security mistakes healthcare organizations make.
Perhaps not surprisingly, understanding and managing risk is critical, and failing to do both are numbers one and two on Wojcik's list of missteps.
It is also important for organizations to properly categorize their assets. Many organizations don't have a good handle on where all the sensitive information in their organization is, he said.


Reminds me of that cartoon, “then a miracle occurs.” (see: http://cafehayek.com/2014/03/then-a-miracle-occurs.html )
Silk Road Lawyers Poke Holes in FBI’s Story
… Last month, the U.S. government released court records claiming that FBI investigators were able to divine the location of the hidden Silk Road servers because the community’s login page employed an anti-abuse CAPTCHA service that pulled content from the open Internet — thus leaking the site’s true Internet address.
But lawyers for alleged Silk Road captain Ross W. Ulbricht (a.k.a. the “Dread Pirate Roberts”) asked the court to compel prosecutors to prove their version of events. And indeed, discovery documents reluctantly released by the government this week appear to poke serious holes in the FBI’s story.
For starters, the defense asked the government for the name of the software that FBI agents used to record evidence of the CAPTCHA traffic that allegedly leaked from the Silk Road servers. The government essentially responded (PDF) that it could not comply with that request because the FBI maintained no records of its own access, meaning that the only record of their activity is in the logs of the seized Silk Road servers.
… “Apparently, Ulbricht had this split architecture, where the initial communication through Tor went to the front-end server, which in turn just did a normal fetch to the back-end server. It’s not clear why he set it up this way, but the document the government released in 70-6.pdf shows the rules for serving the Silk Road Web pages, and those rules are that all content – including the login CAPTCHA – gets served to the front end server but to nobody else. This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server.”
Translation: Those rules mean that the Silk Road server would deny any request from the Internet that wasn’t coming from the front-end server, and that includes the CAPTCHA.
“This configuration file was last modified on June 6, so on June 11 — when the FBI said they [saw this leaky CAPTCHA] activity — the FBI could not have seen the CAPTCHA by connecting to the server while not using Tor,” Weaver said.
… Many in the Internet community have officially called baloney [that's a technical term] on the government’s claims, and these latest apparently contradictory revelations from the government are likely to fuel speculation that the government is trying to explain away some not-so-by-the-book investigative methods.

(Related)
A Year After Death of Silk Road, Darknet Markets Are Booming


How are you going to talk to all those “things” on the Internet of Things?
Google: No app? No problem for Web-connected devices
… The search giant this week revealed a project called "Physical Web," which aims to create a common standard that ties together disparate Web-enabled devices by using URLs instead of mobile apps.
Here's how it would work: Each device -- Google uses bus stops and vending machines as an example -- is assigned its own URL. That URL is then beamed out to everything around it and will show up on a nearby phone or tablet. People can then interact with the objects via their mobile device using the open Web, instead of needing to download one app for bus stops and a separate app for vending machines.
… Several of the world's largest tech companies are making bets on the nascent "Internet of Things," referring to Web-infused devices. Google in January announced the acquisition of Nest, the high-profile maker of smart-home gadgets like the Nest Learning Thermostat and Nest Protect smoke detector, for $3.2 billion. Samsung in August said it was buying SmartThings, an open platform for smart home devices. Apple also entered the fray when it introduced HomeKit for its iOS 8 mobile operating system, which lets people control various devices from an iPhone or iPad.
Using the Physical Web approach, Google said new "tiny use cases" become possible, like a bus stop telling you when the next bus is coming or a rental car beaming you a sign-up sheet so you can drive away immediately.

(Related) Your things are on the Internet of Things, even when they talk to your employer.
BYOD Privacy: Do Employees Have Rights?
Using personal devices to conduct business has become commonplace, whether employers require it or employees voluntary do so. The use of personal devices creates a privacy challenge. Employers want access to the devices, and employees want to protect their personal data contained on them.
… In Colin Cochran v. Schwan's Home Service, Inc., the California Court of Appeals in August reversed a Superior Court in Los Angeles County and ruled that "when employees must use their personal cell phones for work-related calls, Labor Code section 2802 requires the employer to reimburse them."
… The Court's answer was "that reimbursement is always required. Otherwise, the employer would receive a windfall because it would be passing its operating expenses onto the employee."


Maybe not the best way, but certainly one way that could work. For instance...
How Apple Is Monetizing Privacy With iOS 8
… Tim Cook announced at the last Apple Keynote that, as of iOS 8, even Apple will no longer be able to get around your passcode and decrypt your device. This means anyone who has your iPhone or iPad, whether they’re a thief or a police officer trying to execute a warrant, will find cracking your phone to be nearly impossible. Apple says this is a big step forward for device security, but is that true?
In a word, yes. A passcode on an iOS device may just look like a number, but once enabled it activates encryption of your entire smartphone.
… What makes Apple Pay more secure than most is the fact your credit card information never needs to leave your device. Paying does not relay your credit card number but instead relays a unique payment ID that’s valid only for that specific transaction. This is known as tokenization. It’s been used before by secure credit card payment systems, but Apple Pay is the first to apply the idea to paying via phone.
The system is hardened against thieves, as well, because (on the iPhone 6, at least) the fingerprint reader is used to make a payment.


Is “Don't get caught” adequate guidance?
Facebook Tightens Oversight of Research
Facebook Inc. FB +0.73% said Thursday it has changed how it conducts experiments on users, by giving its researchers more guidance and adding internal reviews.
But the company declined to discuss other details of the new standards, which some outsiders called inadequate.
The measures follow the disclosure in June of an earlier experiment in which Facebook researchers altered the news feeds of 700,000 users, omitting content with words associated with either positive or negative emotions, seeking to study how emotions spread on the social network.
… On Thursday, Facebook said it would tighten oversight of its data scientists by giving them clearer guidelines and creating an internal review panel of senior researchers. It also said researchers would be schooled in the ethics of such studies.


It's called “undue reliance.” It's coming to your bank next!
Why Ben Bernanke Can’t Refinance His Mortgage
… The problem probably boils down to this: Anybody who knows how the world works may know that Ben Bernanke has vast earning potential, and that he is as safe a credit risk as one could imagine. But he just changed jobs a few months ago. And in the thoroughly automated world of mortgage finance, having recently changed jobs makes you a steeper credit risk.


My favorite...
GeekWire Summit: Check out these 5 innovations we love
Picobrew
If you’re geeky and you love beer, PicoBrew might be of interest.
PicoBrew CEO Bill Mitchell, a former Microsoft executive, today showed off his company’s automatic all-grain beer brewing system that’s the size of a microwave.
This thing eats hops, grain, yeast, and water — and poops out great craft beer,” [Probably not the best image for marketing Bob] Mitchell said today.
After absolutely obliterating its crowdfunding campaign goal and raising $661,026 from Kickstarter backers last year, PicoBrew completed a $1.2 million Series AA round from angel investors this past May. Learn more about PicoBrew here.


I'm hoping the student book club will push articles like this to all our students.
5 Tips To Read More Books Every Year
There are just so many amazing books out there and several more are being written/published this very instant.
… We promise it will be fun, and more so if you turn into a librocubicularist. [Guilty! Bob]


Equal time for the student gamer's club.
5 Surprisingly Deep Free Browser-Based Strategy Games


Could be used for textbooks or even walking students through our portal! Try it for free.
– Imagine you were sitting next to your customer and showing them how to work with the application you have just built. Inline Manual does that for you. Inline Manual presents a new layer on top of your application that allows your customers work with the application while they are learning. Learning by doing at its best.

No comments: