Beyond Chase: 9 More Banks Breached?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/beyond-chase-9-more-banks-breached-a-7402

The hackers who successfully infiltrated the network of banking giant
JPMorgan Chase have also breached the networks of approximately nine other
financial institutions, none of which has been publicly named, according to
an Oct. 3 New York Times report. The report quotes unnamed U.S. officials,
who suspect the overseas attacks were launched by a Russian-based group
that is believed to have ties to the Russian government.

Beyond that suspicion, however, investigators reportedly still don't
understand the rationale behind the attacks. "It could be mixed motives -
to steal if they can, or to sell whatever information they could glean," an
unnamed official tells the Times. Likewise, "it could be in retaliation for
the sanctions" being imposed on Russia over its actions in the Ukraine.

JPMorgan Chase disclosed on Oct. 2 in a filing to the Securities and
Exchange Commission that the breach compromised information relating to 83
million U.S. households and businesses (see Chase Breach: Lessons for Banks
).

Chase believes that the network intrusion began in June, but wasn't
detected by the bank's security team until late July, by which point
hackers had "obtained the highest level of administrative privilege to
dozens of the bank's computer servers," the Times reports. It adds that
it's only in recent days that Chase has begun to understand the full extent
of the breach.

Chase Investigation Continues

The breach at Chase wasn't fully contained until the middle of August, the
Times reports, adding that the bank has been working with multiple U.S.
government agencies - including the Treasury Department, Secret Service,
and multiple intelligence agencies - to investigate the intrusion.

What's notable, however, is that the attackers don't appear to have stolen
financial information, such as bank account numbers. "We have not seen
unusual fraud activity related to this incident," Chase says in a statement.

While attackers did obtain contact information from everyone who recently
logged into Chase's website or mobile applications - including their names,
addresses, phone numbers and e-mail addresses - that information wouldn't
be good for much more than launching relatively targeted spear phishing
attacks.

"There is no evidence that financial data such as account numbers,
passwords, user IDs, dates of birth or Social Security numbers were
accessed, acquired or compromised," Chase says in a breach FAQ.

"We uncovered an attack by an outside adversary recently where the firm's
technology environment was compromised," Kristin Lemkau, a JPMorgan Chase
spokesperson, has told theTimes. "We are confident we have closed any known
access points and prevented any future access in the same way."

But as Bloomberg notes, if attackers were smart enough to compromise
Chase's network, they may also have been good enough to leave backdoors
into Chase's network that have yet to be detected.

Beware Russian Attribution

To date, attackers' identity and motives reportedly still aren't clear, and
some U.S. officials have warned against jumping to conclusions. "We've been
wrong before," an unnamed official with knowledge of the Chase
investigation told the Times.

That view has been echoed by multiple information security experts. "[It's]
very dangerous to start attributing blame too soon," says cybersecurity
expert Alan Woodward, who's a visiting professor at the department of
computing at Britain's University of Surrey. "It is extremely difficult to
track down these attacks and simplistic data such as IP addresses are
fraught with the risk of false attribution."

"Without solid evidence, people should be careful about attributing blame
to any parties," says Dublin-based independent information security
consultant Brian Honan.

In fact, advanced hackers will go out of their way to not just disguise the
origins of the attack, but attempt to deflect the blame. "It is a
well-known tactic of criminals or cyber spies to mount false-flag
operations so that investigators start chasing spurious leads," says
Woodward, who's also a cybersecurity adviser to Europol's European
Cybercrime Center. "We do need to be very careful about criminals hiding
behind country boundaries and it is for this reason that so much effort is
going into international, cross-border collaboration, including [with]
countries such as Russia, so that criminals cannot hide in one country and
attack another."

Complex IT Environment

Regardless of whether a Russian gang was involved in the Chase breach,
because cybercriminals aim to steal money, banks are - and will remain - a
top target. "The biggest ones are often the biggest targets," John
Pescatore, director of research for the SANS Institute, tells Information
Security Media Group. "They've also got a more complex IT environment, lots
of business partners, third-party suppliers," he says, meaning that there
are many potential ways an attacker might breach a bank's network.

"Bigger isn't always better, from a security perspective," he says.

Many financial services firms also continue to rely on a large amount of
legacy IT infrastructure. "Some of the legacy systems in use in banking
were never intended to be networked in the way they are now," the
University of Surrey's Woodward says. "However, that does mean that often,
whole new systems have been built to act as an interface - and in so doing,
one hopes that suitable security has been included."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!