A cyberattack this summer on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, a tally that dwarfs previous estimates by the bank and puts the intrusion among the largest ever.
The details of the breach — disclosed in a securities filing on Thursday — emerge at a time when consumer confidence in the digital operations of corporate America has already been shaken. Target, Home Depot and a number of other retailers have sustained major data breaches. Last year, the information of 40 million cardholders and 70 million others were compromised at Target, while an attack at Home Depot in September affected 56 million cards.
But unlike retailers, JPMorgan, as the largest bank in the nation, has financial information in its computer systems that goes beyond customers’ credit card details and potentially includes more sensitive data.
“We’ve migrated so much of our economy to computer networks because they are faster and more efficient, but there are side effects,” said Dan Kaminsky, a researcher who works as chief scientist at White Ops, a security company.
Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected, according to several people with knowledge of the attacks.
As the severity of the intrusion — which began in June but was not discovered until July — became more clear in recent days, bank executives scrambled for the second time in three months to contain the fallout and to reassure skittish customers that no money had been taken and that their financial information remained secure.
The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems, according to several people with knowledge of the results of the bank’s forensics investigation, all of whom spoke on the condition of anonymity.
Operating overseas, the hackers gained access to the names, addresses, phone numbers and emails of JPMorgan account holders. In its regulatory filing on Thursday, JPMorgan said that there was no evidence that account information, including passwords or Social Security numbers, had been taken. The bank also noted that there was no evidence of fraud involving the use of customer information.
Still, until the JPMorgan breach surfaced in July, banks were viewed as relatively safe from online assaults because of their investment in defenses and trained security staff. Most previous breaches at banks have involved stealing personal identification numbers for A.T.M. accounts, not burrowing deep into the internal workings of a bank’s computer systems.
Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime. In 2011, hackers broke into the systems of the Nasdaq stock market, but did not penetrate the part of the system that handles trades.
JPMorgan’s chairman and chief executive, has acknowledged the growing digital threat. In his annual letter to shareholders, Mr. Dimon said, “We’re making good progress on these and other efforts, but cyberattacks are growing every day in strength and velocity across the globe.”
Even though the bank has fortified its defenses against the attacks, Mr. Dimon wrote, the battle is “continual and likely never-ending.”
On Thursday, some lawmakers weighed in. Edward J. Markey, Democrat of Massachusetts and a member of the Senate Commerce Committee, said “the data breach at JPMorgan Chase is yet another example of how Americans’ most sensitive personal information is in danger.”
Hackers drilled deep into the bank’s vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. As they analyze the contours of the breach, investigators in law enforcement remain puzzled, partly because there is no evidence that the attackers looted any money from customer accounts.
That lack of any apparent profit motive has generated speculation among the law enforcement officials and security experts that the hackers, which some thought to be from Southern Europe, may have been sponsored by elements of the Russian government, the people with knowledge of the investigation said.
By the time the bank’s security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access.
The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.
Beyond its disclosures, JPMorgan did not comment on what its investigation had found. Kristin Lemkau, a JPMorgan spokeswoman, said that describing the bank’s breach as among the largest was “comparing apples and oranges.”
Preparing for the disclosure on Thursday, JPMorgan retained the law firm WilmerHale to help with its regulatory filing with the Securities and Exchange Commission, people with knowledge of the matter said. Earlier on Thursday, some executives — Barry Sommers, the chief executive of Chase’s consumer bank — flew back to New York from Naples, Fla., where they had convened for a leadership conference, these people said.
The initial discovery of the hack sent chills down Wall Street and prompted an investigation by the Federal Bureau of Investigation. The bank was also forced to update its regulators, including the Federal Reserve, on the extent of the breach.
Faced with the rising threat of online crime, JPMorgan has said it plans to spend $250 million on digital security annually, but had been losing many of its security staff to other banks over the last year, with others expected to leave soon.
Four members of an international hacking ring were charged with cracking the networks of the US Army and developers of blockbuster war video games to steal software, prosecutors said Tuesday.
Two of the men entered guilty pleas in the case, which centers on the”cyber theft” of at least $100 million worth of software and data, according to the Justice Department.
The hackers are accused of breaking into programs used for the Army’s Apache helicopter pilot training, Microsoft’s Xbox One consoles, and yet-to-be released video games “Gears of War 3″ and “Call of Duty: Modern Warfare 3.”
Those charged in the case teamed with others in the US and abroad to hack into networks of Microsoft, Epic Games, Valve Corporation, and the US Army, according to the indictment.
“Members of this international hacking ring stole trade secret data used in high-tech American products, ranging from software that trains US soldiers to fly Apache helicopters to Xbox games that entertain millions around the world,” assistant attorney general Leslie Caldwell said.
An indictment returned in April and unsealed Tuesday charged the four with conspiracy to commit computer fraud, theft of trade secrets and other offenses.
Those named in the indictment were Nathan Leroux, 20, of Bowie, Maryland; Sanadodeh Nesheiwat, 28, of Washington, New Jersey; David Pokora, 22, of Mississauga, Canada; and Austin Alcala, 18, of McCordsville, Indiana.
Additionally, an Australian citizen has been charged under Australian law for his alleged role in the conspiracy, officials said, without identifying the suspect.
Officials said Pokora and Nesheiwat pleaded guilty in a Delaware federal court to some of the charges and are scheduled for sentencing on January 13.
Pokora was arrested on March 28, at the US-Canada border in Lewiston, New York. Officials said Pokora is believed to be the first person based outside the United States convicted of hacking into US businesses to steal trade secret information
According to the indictment, the group hacked into networks to steal the source code, technical specifications and related information for Microsoft’s then-unreleased Xbox One gaming console, and other proprietary data related to the online gaming platform Xbox Live.
Other trade secrets stolen were from the Apache helicopter simulator software developed by Zombie Studios for the US Army and a pre-release version of Epic’s video game “Gears of War 3.”
The value of the stolen intellectual property and other losses was estimated between $100 million and $200 million.
Officials said they had seized over $620,000 in cash and other proceeds from the suspects.
This case is being investigated by the FBI, with assistance from the Department of Homeland Security, the US Postal Inspection Service and in coordination with the Western Australia Police and the Peel Regional Police of Ontario, Canada.
Law enforcers in Europe need greater powers to retain data for longer in order to catch cybercriminals selling discrete services that police cannot trace under existing regulations, according to a Europol report published on Monday.
Cybercrime is increasingly conducted by a highly specialised chain of software break-in experts, underground market-makers and buy-side fraudsters who convert stolen passwords and identities into financial gains. Criminals can keep data for months or even years before using it to defraud victims.
The study, entitled “The Internet Organised Crime Threat Assessment” by the EU’s criminal intelligence agency, says because laws limit how much data can be held and for how long, police cannot effectively trace and prosecute criminals.
Tougher laws for investigating and prosecuting cybercrime also need to be harmonised across the bloc, the report said.
“The majority of intelligence and evidence for cyber investigations comes from private industry. With no data retention, there can be no attribution and therefore no prosecutions,” says Europol of criminals who often operate beyond EU borders in Eastern Europe and beyond.
Europol also says the pool of cyberfraudsters is growing.
“Entry barriers into cybercrime are being lowered, allowing those lacking technical expertise including traditional organised crime groups to venture into cybercrime by purchasing the skills and tools they lack,” it said.
While providing no specific numbers, the agency says that the scale of financial losses due to online fraud has surpassed damages to payment from physical credit and other payment cards. Losses are huge, not just for card issuers but also for airlines, hotels and online retailers, the report states.
In other recommendations, it also warns about the abuse of anonymous virtual currency schemes such as Bitcoin, pointing to a “considerable challenge in tracking such transactions or even identifying activities such as money laundering”.
The agency highlights the role of anonymous, private networks, known as Darknets, in enabling a vast underground trade in drugs, weapons, stolen goods, stolen personal and payment card data, forged documents and child pornography.
Europol’s report capitalises on a growing body of literature from academic and private sector cyber threat researchers that have traced the rise of such online criminal marketplaces trading in billions of personal financial details.
“The future is already here”
Cybercriminals are cashing in on the latest Internet trends such as Big Data, Cloud Computing and The Internet of Things, allowing them to rent massive computing power to analyse vast troves of data gathered from the ever-expanding range of connected devices in homes, cars and on consumers themselves.
For example, the report finds that “Big Data” predictive software is now used by criminals to identify the most lucrative targets for credit card fraud and to improve methods of tricking consumers into divulging more personal data for later attacks.
“The future is already here,” the Europol study states.
The agency describes the rise of what it labels “Crime-as-a-Service”, running illicit activities via a network of independent suppliers, mimicking parts of the “Software as a Service” playbook that drives top Web companies, including Salesforce, Amazon.com and Google.
Crime-as-a-Service offerings include:
Data as a service collects huge volumes of compromised financial data such as credit cards and bank account details and bundles it with standard personal ID info. Such specialisation allows the massive automation of both online and offline fraud.
Pay-per-install, another service, is a means of distributing malware to comprised computers, by country or demographic, expediting both online and offline fraud because it frees fraudsters from having to steal personal data themselves.
Translation services, in which native speakers are hired to convert phishing or spam attacks written in one language into convincing, grammatically correct scripts in other tongues.
Money laundering services act as bridges to cash out from digital or physical world financial systems, often using money mules as go-betweens.
When popular Chinese handset maker Xiaomi Inc admitted that its devices were sending users’ personal information back to a server in China, it prompted howls of protest and an investigation by Taiwan’s government.
The affair has also drawn attention to just how little we know about what happens between our smartphone and the outside world. In short: it might be in your pocket, but you don’t call the shots.
As long as a device is switched on, it could be communicating with at least three different masters: the company that built it, the telephone company it connects to, and the developers of any third party applications you installed on the device – or were pre-installed before you bought it.
All these companies could have programmed the device to send data ‘back home’ to them over a wireless or cellular network – with or without the user’s knowledge or consent. In Xiaomi’s case, as soon as a user booted up their device it started sending personal data ‘back home’.
This, Xiaomi said, was to allow users to send SMS messages without having to pay operator charges by routing the messages through Xiaomi’s servers. To do that, the company said, it needed to know the contents of users’ address books.
“What Xiaomi did originally was clearly wrong: they were collecting your address book and sending it to themselves without you ever agreeing to it,” said Mikko Hypponen, whose computer security company F-Secure helped uncover the problem. “What’s more, it was sent unencrypted.”
Xiaomi has said it since fixed the problem by seeking users’ permission first, and only sending data over encrypted connections, he noted.
Xiaomi is by no means alone in grabbing data from your phone as soon as you switch it on.
A cellular operator may collect data from you, ostensibly to improve how you set up your phone for the first time, says Bryce Boland, Asia Pacific chief technology officer at FireEye, an internet security firm. Handset makers, he said, may also be collecting information, from your location to how long it takes you to set up the phone.
“It’s not that it’s specific to any handset maker or telco,” said Boland. “It’s more of an industry problem, where organisations are taking steps to collect data they can use for a variety of purposes, which may be legitimate but potentially also have some privacy concerns.”
Many carriers, for example, include in their terms of service the right to collect personal data about the device, computer and online activities – including what web sites users visit. One case study by Hewlett-Packard and Qosmos, a French internet security company, was able to track individual devices to, for example, identify how many Facebook messages a user sent. The goal: using all this data to pitch users highly personalized advertising.
But some users fear it’s not just the carriers collecting such detailed data.
Three years ago, users were alarmed to hear that U.S. carriers pre-installed an app from a company called Carrier IQ that appeared to transmit personal data to the carrier.
Users filed a class-action lawsuit, not against the carriers but against handset makers including HTC Corp, Samsung Electronics and LG Electronics which, they say, used the software to go beyond collecting diagnostic data the carriers needed.
The suit alleges the handset firms used the Carrier IQ software to intercept private information for themselves, including recording users’ email and text messages without their permission – data the users claim may also have been shared with third parties. The companies are contesting the case.
And then there are the apps that users install. Each requires your permission to be able to access data or functions on your device – the microphone, say, if you want that device to record audio, or locational data if you want it to provide suggestions about nearby restaurants.
Shedding some light
But it isn’t always easy for a user to figure out just what information or functions are being accessed, what data is then being sent back to the developers’ servers – and what happens to that data once it gets there. Bitdefender, a Romania-based antivirus manufacturer, found last year that one in three of Android smartphone apps upload personal information to “third party companies, without specifically letting you know.”
Not only is this hidden from the user, it’s often unrelated to the app’s purpose.
Take for example, an Android app that turns your device into a torch by turning on all its lights – from the camera flash to the keyboard backlight. When users complained about it also sending location-based data, the U.S. Federal Trade Commission forced the app’s Idaho-based developer to make clear the free app was also collecting data so it could target users with location-specific ads. Even so, the app has been installed more than 50 million times and has overwhelmingly positive user reviews.
While most concerns are about phones running Android, Apple Inc’s devices aren’t free from privacy concerns.
Carriers control the code on the SIM, for example, and this is one possible way to access data on the phone. And, despite stricter controls over apps in Apple’s app store, FireEye’s Boland says his company continues to find malicious apps for the iOS platform, and apps that send sensitive data without the user knowing. “The iPhone platform is more secure than the Android platform, but it’s certainly not perfect,” he said.
Apple says its iOS protects users’ data by ensuring apps are digitally signed and verified by Apple’s own security system.
Back in the seat
The problem, then, often isn’t about whether handset makers, app developers and phone companies are grabbing data from your phone, but what kind of data, when, and for what.
“If we look at the content sent by many apps it’s mindboggling how much is actually sent,” said Boland. “It’s impossible for someone to really know whether something is good or bad unless they know the context.”
Handset makers need to be clear with users about what they’re doing and why, said Carl Pei, director at OnePlus, a Shenzhen, China-based upstart rival to Xiaomi. OnePlus collects “anonymous statistical information” such as where a phone is activated, the model and the version of software that runs on it, Pei said, which helps them make better decisions about servicing customers and where to focus production.
Unlike Xiaomi, Pei said, OnePlus’ servers are based in the United States, which in the light of recent privacy concerns, he said, “gives people greater peace of mind than having them based out of China.”
That peace of mind may be elusive as long as there’s money to be made, says David Rogers, who teaches mobile systems security at the University of Oxford and chairs the Device Security Group at the GSMA, a global mobile industry trade association.
“Users are often sacrificed to very poor security design and a lack of consideration for privacy,” he said. “At the same time, taking user data is part of a profit model for many corporations so they don’t make it easy for users to prevent what is essentially data theft.”
Hackers have begun exploiting the newly identified “Shellshock” computer bug, using fast-moving worm viruses to scan for vulnerable systems and then infect them, researchers warned on Thursday.
“Shellshock” is the first major Internet threat to emerge since the discovery in April of “Heartbleed,” which affected encryption software used in about two-thirds of all web servers, along with hundreds of technology products.
The latest bug has been compared to “Heartbleed” partly because the software at the heart of the “Shellshock” bug, known as Bash, is also widely used in web servers and other types of computer equipment.
According to security experts, “Shellshock” is unlikely to affect as many systems as “Heartbleed” because not all computers running Bash can be exploited. Still, they said the new bug has the potential to wreak more havoc because it enables hackers to gain complete control of an infected machine, which lets them destroy data, shut down networks or launch attacks on websites.
The “Heartbleed” bug only allowed hackers to steal data.
The industry is rushing to determine which systems can be remotely compromised by hackers, but there are currently no estimates on the number of vulnerable systems.
Amazon.com Inc and Google Inc have released bulletins to advise web services customers how to protect themselves from the new cyber threat. A Google spokesman said the company is releasing software patches to fix the bug.
“We don’t actually know how widespread this is. This is probably one of the most difficult-to-measure bugs that has come along in years,” said Dan Kaminsky, a well-known expert on Internet threats.
For an attack to be successful, a targeted system must be accessible via the Internet and also running a second vulnerable set of code besides Bash, experts said.
“There is a lot of speculation out there as to what is vulnerable, but we just don’t have the answers,” said Marc Maiffret, chief technology officer of cyber-security firm BeyondTrust. “This is going to unfold over the coming weeks and months.”
Attacks on devices
Joe Hancock, a cyber-security expert with insurer AEGIS in London, said in a statement that he is concerned about the potential for attacks on home broadband routers and controllers used to manage critical infrastructure facilities.
“In some areas this will be a challenge to fix, as many embedded devices are not designed with regular updates in mind and will never be able to be patched,” Hancock said.
HD Moore, chief research officer with security software maker Rapid7, said it could take weeks or even months to determine what impact the bug will have.
“At this point we don’t know what we don’t know, but we do expect to see additional exploit vectors surface as vendors and researchers start the assessment process for their products and services,” Moore said in an email. “We are likely to see compromises as a result of this issue for years to come.”
Linux makers released patches to protect against attacks on Wednesday, though security researchers uncovered flaws in those updates, prompting No. 1 Linux maker Red Hat Inc to advise customers that the patch was “incomplete.”
“That’s a problem. It’s been a little over 24 hours and we’re still in the same boat,” said Mat Gangwer, lead security consultant at Rook Security. “People are kind of freaking out. Rightfully so.”
Russian security software maker Kaspersky Lab reported that a computer worm has begun infecting computers by exploiting “Shellshock.”
The malicious software can take control of an infected machine, launch denial-of-service attacks to disrupt websites, and also scan for other vulnerable devices, including routers, said Kaspersky researcher David Jacoby.
He said he did not know who was behind the attacks and could not name any victims.
Jaime Blasco, labs director at AlienVault, said he had uncovered the same piece of malware, as well as a second worm seeking to exploit “Shellshock,” which was designed for launching denial of service attacks.
“Heartbleed” is a bug in an open-source encryption software called OpenSSL. The bug put the data of millions of people at risk, as OpenSSL is used in about two-thirds of all websites. It also forced dozens of technology companies to issue security patches for hundreds of products that use OpenSSL.
Two members of an international hacking ring that gained access to a U.S. Army computer network while targeting computer giant Microsoft and several video game developers pleaded guilty to conspiracy charges today in federal court in Delaware.David Pokora, 22, of Mississauga, Ontario, and Sanadodeh Nesheiwat, 28, of Washington, New Jersey, each pleaded guilty to a single count of conspiracy to commit computer fraud and copyright infringement. They face up to five years in prison when sentenced in January. Prosecutors said the two men were part of a small group of gaming enthusiasts that called itself the Xbox Underground. An 18-count superseding indictment that was returned by a grand jury in April and unsealed Tuesday also charges Nathan Leroux, 20, of Maryland, and Austin Alcala, 18, of Indiana, with participating in the conspiracy.
An Australian national whose name was not released also has been charged, and authorities, who are continuing their investigation, say roughly half-a-dozen other individuals may be involved. According to prosecutors, the defendants stole more than USD 100 million in intellectual property and other proprietary data related to the Xbox One gaming console and Xbox Live online gaming system and popular video games such as “Call of Duty: Modern Warfare 3″ and “Gears of War 3.” ”These were extremely sophisticated hackers…. Don’t be fooled by their ages,” Assistant U.S.Attorney Ed McAndrew said after Tuesday’s court hearing.
At the same time, McAndrew said, their method of compromising the computer systems of the companies was relatively basic: stealing the computer user names and passwords of employees andsoftware development partners. Once inside the companies’ computer networks, the conspirators accessed and stole unreleased software, software source code, trade secrets, copyrighted and prerelease works, and other information, authorities said. They also stole financial and other sensitive information relating to the companies, but not their customers, McAndrew told U.S. District Court Judge Gregory Sleet.
Prosecutors said the ring’s exploits included manufacturing and selling a counterfeit Xbox One gaming console before the unit’s official release and gaining access to an Army computer system for two months in late 2012 through their hacking of Zombie Studios, a Seattle-based video game company that was working with the Army on flight simulation software to train Apache helicopter pilots. ”As soon as they were notified, they addressed the particular manner in which they were branched,” McAndrew said when asked about the military’s response to the hacking.
A Critical remotely exploitable vulnerability has been discovered in the widely used Linux and Unix command-line shell, known as Bash, aka the GNU Bourne Again Shell, leaving countless websites, servers, PCs, OS X Macs, various home routers, and many more open to the cyber criminals
REMOTELY EXPLOITABLE SHELL SHOCK
The vulnerability (CVE-2014-6271) affects versions 1.14 through 4.3 of GNU Bash and being named as Bash Bug, and Shellshock by the Security researchers on the Internet discussions.
According to the technical details, a hacker could exploit this bash bug to execute shell commands remotely on a target machine using specifically crafted variables. “In many common configurations, this vulnerability is exploitable over the network,”
We are covered with technologies and Signal Lights on roads also operated through the digital network and it is revealed and proved that Hacking Traffic lights is not a hard hack and even a college student able to hack the Traffic Lights.
According to the researchers at the University of Michigan claimed to hacked the traffic light signals in real life practically, Red Lights could be hacked easily through anyone by using a laptop and the right kind of ratio.
The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex, and, according to security experts, the next DDoS vector to be concerned about is SNMP (Simple Network Management Protocol) amplification attacks