I
hope they didn't do this just because I need a good “bad example”
for my Intro to Computer Security class.
JPMorgan
Chase Says More Than 76 Million Households Were Compromised in
Cyberattack
A
cyberattack this summer on JPMorgan Chase compromised more than 76
million household accounts and seven million small-business accounts,
making it among the largest corporate hacks ever discovered.
The
latest revelations, which were
disclosed
in a regulatory filing on Thursday, vastly
dwarf earlier estimates that hackers had gained access to roughly one
million customer accounts.
The
new details about the extent of the cyberattack — which began in
June but was not discovered until July — sent JPMorgan scrambling
for the second time in just three months to contain the fallout.
…
Hackers were able to burrow deep into JPMorgan’s computer systems,
accessing the accounts of more than 90 servers — a breach that
underscores just how vulnerable the global financial system is to
cybercrime.
…
Investigators in law enforcement remain puzzled by the attack on the
bank because there was no evidence that the attackers looted any
customer money from accounts.
The
lack of any apparent profit motive has generated speculation among
law enforcement officials and security experts that the hackers were
sponsored by foreign governments either in Russia or in southern
Europe.
It
is still not clear how hackers managed to gain deep access to the
bank’s computer network. By the time the bank’s
security team discovered the breach in late July, hackers had already
gained the highest level of administrative privilege to more than 90
of the bank’s computer servers, according to several people
briefed on the results of the bank’s forensics investigation who
were not allowed to discuss it publicly.
…
More disturbing still, these people say, hackers made off with a
list of the applications and programs that run on every standard
JPMorgan computer– a hacker’s road map of sorts — which hackers
could cross check with known vulnerabilities in each program and web
application, in search of an entry point back into the bank’s
systems.
(Related)
JPMorgan
cyberattack largest ever bank hack
…
That would make it the biggest single data breach hack since 130
million credit and debit card details were stolen from Heartland
Payment Systems in 2007.
(Related)
Perhaps they need better advisors?
Well,
I nearly trashed this email as spam because the sender
showed as “Gregory Quental,” with a subject line “Important
update on cyber security.” I’m glad I looked at it, though, as
it was a message from JPMorgan about their breach:
As you may know, Chase recently was the victim of a sophisticated
cyber attack. Since then, we have been conducting a comprehensive
investigation of the incident and have found no evidence that client
account information was compromised.
Our detailed review has found no evidence that account numbers,
passwords, dates of birth and Social Security numbers were
compromised. We therefore do not believe you need to take any action
related to your account. The information that was compromised was
contact information — names, addresses, phone numbers and email
addresses for users of Chase.com, J.P. Morgan Online, Chase Mobile
and J.P. Morgan Mobile, as well as internal JPMorgan Chase
information relating to such users.
We want to assure you that we take this incident very seriously, and
have no evidence that the attackers are still in our systems. These
kinds of attacks are frequent, and while this one was sophisticated,
we stopped it and continue to invest in preventing future attacks.
It is important to note that we have not seen any unusual fraud
activity across all of our accounts, and you are not liable for any
unauthorized transactions on your account that you promptly alert us
to.
We regret this incident happened. As always, your J.P. Morgan
advisor and client service team are available to discuss any
questions or concerns.
Sincerely,
Gregory Quental
Chief Executive Officer
J.P. Morgan Securities
Best
Practices?
When
Community Health Systems revealed it had been
breached earlier this year, a spotlight was placed on
cybersecurity in the healthcare industry, and the diagnosis was not
good.
In
that case, patient records for some 4.5 million people were exposed
by hackers. The situation added Community Health Systems to the list
of organizations impacted by security incidents, and sparked
discussions about the importance of
information sharing within the industry and between companies and
the government.
Based
on his experience consulting with healthcare organizations, Michael
Wojcik, senior manager with Ernst & Young, noticed patterns among
organizations that contribute to security failings, and at the (ISC)2
Security Congress in Atlanta this week outlined the five most common
security mistakes healthcare organizations make.
Perhaps
not surprisingly, understanding
and managing risk is critical, and failing to do both are
numbers one and two on Wojcik's list of missteps.
… It
is also important for organizations to properly categorize their
assets. Many organizations don't have a good handle on where all the
sensitive information in their organization is, he said.
Silk
Road Lawyers Poke Holes in FBI’s Story
…
Last month, the U.S. government
released
court records claiming that FBI investigators were able to divine
the location of the hidden Silk Road servers because the community’s
login page employed an anti-abuse CAPTCHA service that pulled content
from the open Internet — thus leaking the site’s true Internet
address.
But
lawyers for alleged Silk Road captain Ross
W. Ulbricht (a.k.a. the “Dread Pirate Roberts”)
asked the court to compel prosecutors to prove their version of
events. And indeed, discovery documents reluctantly released by the
government this week appear to poke serious holes in the FBI’s
story.
For starters, the defense asked the government for the name of the
software that FBI agents used to record evidence of the CAPTCHA
traffic that allegedly leaked from the Silk Road servers.
The
government essentially responded
(PDF) that it could not comply with that request because
the FBI maintained no records of its own access, meaning that the
only record of their activity is in the logs of the seized Silk Road
servers.
…
“Apparently, Ulbricht had this split architecture, where the
initial communication through Tor went to the front-end server, which
in turn just did a normal fetch to the back-end server. It’s not
clear why he set it up this way, but the document the government
released in
70-6.pdf
shows the rules for serving the Silk Road Web pages, and those rules
are that all content – including the login CAPTCHA – gets served
to the front end server but to nobody else. This suggests that the
Web service specifically refuses all connections except from the
local host and the front-end Web server.”
Translation:
Those rules mean that the Silk Road server would deny any request
from the Internet that wasn’t coming from the front-end server, and
that includes the CAPTCHA.
“This
configuration file was last modified on June 6, so on June 11 —
when the FBI said they [saw this leaky CAPTCHA] activity — the
FBI could not have seen the CAPTCHA by connecting to the server while
not using Tor,” Weaver said.
…
Many in the Internet community have officially called baloney
[that's a technical term] on the government’s claims, and these
latest apparently contradictory revelations from the government are
likely to fuel speculation
that the government is trying to explain away some not-so-by-the-book
investigative methods.
(Related)
A
Year After Death of Silk Road, Darknet Markets Are Booming
How
are you going to talk to all those “things” on the Internet
of Things?
Google:
No app? No problem for Web-connected devices
…
The search giant this week revealed a
project
called "Physical Web," which aims to
create a common standard that ties together disparate Web-enabled
devices by using URLs instead of mobile apps.
Here's
how it would work: Each device -- Google uses bus stops and vending
machines as an example -- is assigned its own URL. That URL is then
beamed out to everything around it and will show up on a nearby phone
or
tablet.
People can then interact with the objects via their mobile device
using the open Web, instead of needing to download one app for bus
stops and a separate app for vending machines.
…
Several of the world's largest tech companies are making bets on the
nascent "Internet of Things," referring to Web-infused
devices. Google in January announced the acquisition of Nest, the
high-profile maker of smart-home gadgets like the
Nest
Learning Thermostat and
Nest
Protect smoke detector, for $3.2 billion.
Samsung in August said it was buying SmartThings, an open platform
for smart home devices. Apple also entered the fray when it
introduced
HomeKit
for its iOS 8 mobile operating system, which
lets people control various devices from an iPhone or
iPad.
Using
the Physical Web approach, Google said new "tiny use cases"
become possible, like a bus stop telling you when the next bus is
coming or a rental
car
beaming you a sign-up sheet so you can drive away immediately.
(Related)
Your things are on the Internet of Things, even when they talk to
your employer.
BYOD
Privacy: Do Employees Have Rights?
Using
personal devices to conduct business has become commonplace, whether
employers require it or employees voluntary do so. The use of
personal devices creates a privacy challenge. Employers want access
to the devices, and employees want to protect their personal data
contained on them.
…
In Colin Cochran v. Schwan's Home Service, Inc., the California
Court of Appeals in August reversed a Superior Court in Los Angeles
County and ruled that "when employees must use their personal
cell phones for work-related calls, Labor Code section 2802 requires
the employer to reimburse them."
…
The Court's answer was "that reimbursement is always required.
Otherwise, the employer would receive a windfall because it would be
passing its operating expenses onto the employee."
Maybe
not the best way, but certainly one way that could work. For
instance...
How
Apple Is Monetizing Privacy With iOS 8
…
Tim Cook announced at the last Apple Keynote that, as of iOS 8, even
Apple will no longer be able to get around your passcode and decrypt
your device. This means anyone who has your iPhone or iPad, whether
they’re a thief or a police officer trying to execute a warrant,
will find cracking your phone to be nearly impossible. Apple says
this is a big step forward for device security, but is that true?
In a
word, yes.
A
passcode on an iOS device may just look like a number, but once
enabled it activates encryption of your entire smartphone.
…
What makes Apple Pay more secure than most is the fact your credit
card information never needs to leave your device. Paying does not
relay your credit card number but instead relays a unique payment ID
that’s valid only for that specific transaction. This is known as
tokenization.
It’s been used before by secure credit card payment systems, but
Apple Pay is the first to apply the idea to paying via phone.
Is
“Don't get caught” adequate guidance?
Facebook
Tightens Oversight of Research
Facebook
Inc. FB +0.73% said Thursday it has changed how it conducts
experiments on users, by giving its researchers more guidance and
adding internal reviews.
But
the company declined to discuss other details of the new standards,
which some outsiders called inadequate.
The
measures follow the disclosure in June of an earlier experiment in
which Facebook researchers altered the news feeds of 700,000 users,
omitting content with words associated with either positive or
negative emotions, seeking to study how emotions spread on the social
network.
…
On Thursday, Facebook said it would tighten oversight of its data
scientists by giving them clearer guidelines and creating an internal
review panel of senior researchers. It also said researchers would
be schooled in the ethics of such studies.
It's
called “undue reliance.” It's coming to your bank next!
Why
Ben Bernanke Can’t Refinance His Mortgage
…
The problem probably boils down to this: Anybody who knows how the
world works may know that Ben Bernanke has vast earning potential,
and that he is as safe a credit risk as one could imagine. But he
just changed jobs a few months ago. And in
the thoroughly automated world of mortgage finance, having recently
changed jobs makes you a steeper credit risk.
My
favorite...
GeekWire
Summit: Check out these 5 innovations we love
Picobrew
If
you’re geeky and you love beer,
PicoBrew
might be of interest.
PicoBrew
CEO Bill Mitchell, a former Microsoft executive, today showed off his
company’s automatic all-grain beer brewing system that’s the size
of a microwave.
“This
thing eats hops, grain, yeast, and water — and poops out great
craft beer,” [Probably
not the best image for marketing Bob] Mitchell said
today.
After
absolutely obliterating its crowdfunding campaign goal and raising
$661,026 from Kickstarter backers last year, PicoBrew completed a
$1.2 million Series AA round from angel investors
this
past May. Learn more about PicoBrew
here.
I'm
hoping the student book club will push articles like this to all our
students.
5
Tips To Read More Books Every Year
There
are just
so
many amazing books out there and several more are being
written/published this very instant.
…
We promise it will be fun, and more so if you turn into a
librocubicularist.
[Guilty! Bob]
Equal
time for the student gamer's club.
5
Surprisingly Deep Free Browser-Based Strategy Games
Could
be used for textbooks or even walking students through our portal!
Try it for free.
–
Imagine you were sitting next to your customer and showing them how
to work with the application you have just built. Inline Manual does
that for you. Inline Manual presents a new layer on top of your
application that allows your customers work with the application
while they are learning. Learning by doing at its best.