Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
JPMorgan Hack: 2FA MIA In Breached Server
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
3/9/2015 | 5:47:25 PM
Many systems secure without two factor authentication
Like many breaches, we do not have all the information about the hack.  Was a password sniffed from a system or was a hash cracked?  A truly random password with a length of 12 characters using letters, number and special characters will not be cracked, possibly negating the benefit of 2 factor authentication.  As with most hacks, there were probably multiple, basic measures that were missed leading to the possibility of exploit, but we can't know for sure without all the details.

 





 
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/31/2014 | 5:25:06 PM
Re: J.P. Morgan and The Big Hole

@ODA155    I agree.  Software is just one piece of this puzzle.   And I thank you for taking the time to do the deep thinking on the issue.  I agree with your listed shortcomings, chief among them is research and incorporating security tools within the current infrastructure.

And it sounds simple but you know someone was alerted and apparently it was ignored.  That is an aspect that makes this all the more reason that someone should loose their job over this.   Which we are and will continue to wait on.

Regardless your points are well taken, and it might be wise for Chase and all the rest of these companies to take heed to your recommendations (and to anyone who cares to comment ) because if this continues to happen, it won't continue to be funny.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/31/2014 | 4:42:09 PM
Re: J.P. Morgan and The Big Hole

@ODA155    Happy New Year to you as well  !     No I am not a Chase insider,   I should have said " I am reasonably certain...." instead of I know. I would never work at Chase , though I guess I could be bought.  : )  

No I am just a citizen and admin who has not quite gotten over the financial industry induced depression quite yet.   My opinions have also been formed by being a former customer of theirs - the bank is simply terrible.  If they invested as much in security as they do for expansion( a Chase on every corner ring a bell ?) , this issue probably would have never happened.

Rumor has it they are the oldest Bank in the U.S. and they act like it - so it is with great glee that I expose a few more aspects of Chase other than their inability to safeguard the data entrusted them.

I am patiently waiting for the next blunder by Chase ( and Sony for that matter) because it is sure to happen.  Just in the case of Chase though, we won't know exzactly know when the latest breech happened until they are apparently good and ready.

It may be time to remind Chase execs again, that neither they nor their vaunted business is above the Law.

ODA155
50%
50%
ODA155,
User Rank: Ninja
12/31/2014 | 11:03:37 AM
Re: J.P. Morgan and The Big Hole
@Technocrati...


After reading you last post I agree that while most security software does demand a higher level of attention, some may even call it babysitting, I disagree with the notionthat the applications are the problem. What I see is that the companies or the individuals responsible for bringing in these security systems are;
  • doing a poor job of product research, evaluation and planning on how to insert them into the current infrastructure.
  • turning the systems over to already over-taxed, under-staffed sysadmins who put security behind operations and performance.
  • security systems turned down or alerts being ignored

You can also add to the equation that unless the company in question is some huge deep pocketed intity, they probably do not have security people who specialize in the more technical aspects of these systems. How many IT shops are short sysadmins, do you really think these companies are going to hire a security persion that ONLY sits in front of a consol and monitoring a SIEM... (which by the way is a very credible argument)?

Personally, I think the whole mindset of what a security department needs to be revisted, especially how it's managed, staffed and funded. In most companies securitydoes have a place at the table, but it's only advisory, that is until something bad happens and then everyone want to blame a certain system because it didn't do what it was supposed to do, but when fully investigated you'll learn that the system did what it was designed, configured or changed to do, but alerts were ignored or the user community ignores policy or policy was not changed to include that shiny new system that wassupposed to protect everything.

I could be wrong, but that's how I see it.

HAPPY NEW YEAR!
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/30/2014 | 10:08:43 PM
Re: J.P. Morgan and The Big Hole

@jamieinmontreal        You raise some excellent points about this issue of security.   And I do certainly agree that the Security industry does not do itself any favors with the customary convoluted software which would tax the best admins among us.  

 It reminds me of troubleshooting a firewall about 10 years ago - the manual at the time was the size of a book you might see in Law school or Congress.  It was a major challenge to sift through an interface that was even at that time confusing at best.   I finally did get access through a port that was needed, but it was one of my most challenging projects up until that point.   So I understand security is no easy job, but vendors can and should make things much easier for admins.

And you bring up another great point about the vastness of security layers.  This certainly makes this issue even more difficult.    Not to mention the regulations.

But I think what annoys me most is what Kelly mentioned earlier in the thread, if we can't depend on those in the the financial industry to take those steps that mere mortals fear to tread, what hope do we really have ?

Sony is a prime example of this - many believe that there is a separate group which took down their Playstation network.     So not only have they been breeched, it is by two distinct groups !    What security hole are these companies overlooking ?   I know security experts hate to think they don't have a solution, but in Sony's case  - this appears to be true.

But in the case of Chase ?     There is simply no excuse, ( not to imply there is one for Sony either) these companies have more than enough resources to get the best experts.   This did not happen and why ?   Because as you mention (and I also agree ) security is seen as an expense and it is clear companies have a conducted risk analysis on the amount of bad press and potential loss that a breech might cause.   

I like your ideas for improvement - I hope the industry hears us because it is obvious that the practices that are in place  -  Just are not working.

ODA155
50%
50%
ODA155,
User Rank: Ninja
12/30/2014 | 1:11:47 PM
Re: J.P. Morgan and The Big Hole
@DR.T...
"I agree. You can actually put two-factor on servers to decrease risk of exploits, but that being the solution for their hack is that realistic."

I believe you mean 2FA will prevent unauthorized access, 2FA will not "decrease risk of exploits".

@Technocrati...
"I for one already know Chase is using "smoke and mirrors" when it comes to security.   They are doing no more than is required by law, and that apparently isn't enough."

You "know", that would insinuate that you are a Chase insider, are you... please share.  "They are doing no more than is required by law...", information security is a "Cost Center"... we do not generate money for the company, we spend the money the business makes, so if you work in InfoeSec you would not be surprised by the statement you made, pissed or upset, yes but not surprised.

@Kelly Jackson Higgins...
"...we look to financial institutions as the "gold standard" for security." Sad to say, but I'd put more trust in security for casinos or the porn industry, but that's just me.

@jamieinmontreal...
I believe the problem is that companies want it both ways, they want the government to protect them from events like North Korea haking their business or Cyber Warfare, but they when it comes to regulation or compliance, they want to write the rules that decide what compliance is. Either way there is another problem, any law and or compliance regulation that addresses cyber security must be constantly reviewed and adjusted, it cannot remain static. After every data breach there is something to be learned and in my opinion this is how it should be done... along with stiff penalties and jail-time for non=compliance.
jamieinmontreal
50%
50%
jamieinmontreal,
User Rank: Strategist
12/30/2014 | 10:48:29 AM
Re: J.P. Morgan and The Big Hole
@ Technocrati  "these companies are not in the business of security"

Very true, but then again we can't expect every company not "in the business of security" to be driving security as a prime business goal - hence the need for regulations.

Then there are layers upon layers of security to sift through, physical, virtual, software defined, hardware based - thousands of vendors and applications all vying for center stage in the CISO's strategy and yet he/she has to produce something concise for the board that explains what they can and will secure, how much that will cost over time and how effective they expect the "solution" to be.   The board is also not expecting a treatise on 25 different products that will each require maintenance and support on an ongoing basis.

Organisations which do something other than security to earn a crust won't and shouldn't move focus from core business to security.   Like "marketing" in the 70's / 80's and "IT" in the 80's / 90's data security is a cost to the company's bottom line that doesn't necessarily deliver tangible benefits.

The goals for the companies who are in the Security world on all layers should be to make easy to implement and manage systems and building suites of products that demonstrate EXACTLY how they address various regulatory standards.   Imagine being able to easily deploy a suite of solutions to exceed various regulatory requirements.  NERC, FERC, FINRA, SOX, GLBA, Hipaa, other PII regs... the list goes on.

The onus is on the security related organisations to make their products as easy as possible to implement and develop some solid, demonstrable track records in how they prevent attacks from succeeding and / or minimize effect of any breaches have if / when they occur.   Think of the AV industry in the early days... people would cancel contracts because they saw no value in the AV software, then the smarter AV firms started presenting how many "threats" they "stopped" - how many organisations now run without something checking email and web traffic?

My predictions for 2015 and security?  
  • New Security industry standards as opposed to Regulatory compliance becoming a driver  "Industry standard X will help you meet the following Cyber security regulations..." kind of a thing.
  • Consolidation of industry players, MSPs, SIs, Resellers, VARS, LARS, Providers, consultants coming together to create security driven services and bundling products that work well together.
  • Shifting budgets away from CapEX to Operationalised models with hybrid cloud coming to the fore.   This will be in tandem with a shift in focus from perimiter "build me a bigger wall" security to knowledge based "who are you and what do you want" security.   Identity management will become a critical enabler of this flexible, cloud based, spinup/spindown Information technology infrastructure.

 
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/29/2014 | 1:52:18 PM
Re: J.P. Morgan and The Big Hole

What's most disturbing here is that we look to financial institutions as the "gold standard" for security.

 

@Kelly       Your point is absolutely correct, there is no argument there.  But I ask, was this assumption ever realistic and earned ?   The Banks will argue they have a low rate of breeches   Well what is that actually due to ?  It has been implied that the financial industry was the best in this regard because after all - security is in their best interest.

And that is where the issue of security becomes blurred IMO.   What is the business that Chase (in this case) is in ?   It is not the security business nor altruism.   It is deposits and profits.   That is is all Chase and any other financial institution is concerned with because that is their business.   

This issue of security, (oh well ) that is regulated by the Government, in this case the 3rd. party to absorb blame should something go wrong,  Which ironically is needed because without it (Government) nothing would happen in a consistent way.

I refuse to see this latest "dropped security ball" from Chase, Sony ( and Target for that matter ) as purely a technical issue - that is too easy in my opinion.   Nor ignore that this is a reflection of their culture and business practice in general.  There is no shying away from this IMO.   

 The reactions of Chase  ( the delayed announcement..etc) and Sony ( it's everyone's problem response) only underscore the fact that these companies are not in the business of security nor apparently in employing it effectively.

Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/29/2014 | 11:13:25 AM
Re: J.P. Morgan and The Big Hole
What's most disturbing here is that we look to financial institutions as the "gold standard" for security. If one of the biggest of these institutions didn't perform basic security best practices, we should be very, very worried about the other banks as well as other industries.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/27/2014 | 9:02:50 PM
Re: J.P. Morgan and The Big Hole

Dr.T      That is what I am saying, two-form factor authentication should have been a basic requirement.   This is a Bank not an online site selling t-shirts.   Someone ought to loose their job(s), but this Chase, where your account is more likely to be closed than any potential security hole. 

Page 1 / 2   >   >>


Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5524
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via UPnP function.
CVE-2020-5525
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via management screen.
CVE-2020-5533
PUBLISHED: 2020-02-21
Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2020-5534
PUBLISHED: 2020-02-21
Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors.
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.