JP Morgan Chase Breach: Shades of a Cyber Cold War?

TheRealHocusLocus writes: The New York Times is quoting "people briefed on the matter" who allege that the JP Morgan data thieves "are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government." The article suggests it could be retaliation for sanctions. Personally, I'm skeptical — I've seen the former Soviet Union evolve into an amazingly diverse culture that is well represented on the Internet. This culture has grown alongside our own and runs the gamut of characters: tirelessly brilliant open source software developers, lots of regular folk, and yes — even groups affiliated with organized crime syndicates. This is no surprise, and these exist in the U.S. too. Are we ready to go full-political on this computer security issue, worrying more about who did it than how to protect against it in the future? How do you Slashdotters feel about these growing "tensions," and what can we do to help bring some reason to the table? The article also notes that the same group responsible for the breach at JP Morgan Chase was responsible for attacks on 9 other financial institutions.

All is fair...

[BringsApples]

...in love and war.

Re:

[koan]

All is vanity.

Re:

[BringsApples]

"All is fair in love and war" can mean anything you want, but here, it would be wise to look at it to mean, "Inspire love rather than war".

So many groups of people aren't satisfied with the current configuration of the financial institution that the US harbors, because it's a debt-based system whereby many many more are in debt than are not.

Re:

[TheRealHocusLocus]

Remember wise old Solomon
Recall his history
He was the wisest man on Earth
And so he cursed the day of his birth
He knew that all is vanity

So not much fun was poor Solomon
Now most of us would agree
We are not much better off than he
His brains it was that put him on the spot
I thought that brains were good--- Guess not!

~Threepenny Opera

Betteridge's law of headlines

[Anonymous Coward]

no

Re: Betteridge's law of headlines

[tysonedwards]

Don't be daft. Everyone has at least a loose association with a government official, and that's what's being asserted here. A friend of a friend was a Russian Government official, thereby the whole thing must be their fault! Couldn't possibly be that it was "because we could", or "because it looked like easy money", or "because they were acting in a criminal syndicate"... Nope, we need a new enemy and ISIS isn't scary enough and China owns too much of our debt, so Russia it is!

Re:

[TheRealHocusLocus]

The submitter is even "skeptical" about the whole issue.

Hello. I'm more than skeptical, I find it alarming. It's Orwellian. Because I remember a time when the US and USSR were one provocation away from open conflict. And as we all knew at the time it would have been ugly and global. I remember when newspapers went out of their way not to even appear to be inviting or inciting conflict. The New York Times now considers itself to be an ankle-biting attack dog for the Obama Administration. They're proud of it. It would merely be pathetic if one could find hum

Re:

[cavreader]

About the idea of China owning much of the US debt. Over 80% of the national debt is owned by the US Federal Reserve. The remaining debt is parceled out in bonds and investment certificates to countries and regular people. China and a lot of other countries stash large sums of cash in US financial instruments. The US is recognized as one of the safest and stable places to invest their money. And in the unlikely event that the US and China were to start a war or do anything else that pisses off the US gover

Re:

[cavreader]

Other than the US embassy what property or bank accounts could China freeze to seriously harm the US? And for a million soldiers to get any where close to the US they would have to execute the "million man" swim to get there. One word: logistics. Geography has always given the US an advantage. There is not a single country on the planet who can project military power any where in the world on a moments notice except for the US. No other country has as many foreign military bases around the world as the US.

Classic case of not owning the problem

[Anonymous Coward]

Just as most other organizations that have been hacked and made public, I'm sure they (JP Morgan Chase and associated entities) would love to blame this on some "advanced", "state sponsored", or other threat they claim was unrealistic to defend against. They will claim they spend a lot of time and money, and they still got hacked. In reality, they simply use the "time and money" as as plausible deniability. They are making so much money off their "customers", they could care less about security. It's all ab

um

[Charliemopps]

I think someone doesn't know the definition of "Cold war"
Given that this story is about an actual attack, that would lead me to believe this is a "hot" war.

Re:

[TheRealHocusLocus]

The difference between a hot war and a cold war is that during a hot war people do very little prevarication about who's responsible. For example, note that Ukrainian separatists openly boasted about blowing a plane out of the sky when they thought that it was a Ukrainian plane. They didn't start lying about it until they found out that it was a Dutch passenger plane. Cold war attacks are like that from the beginning. They didn't happen. If you can prove they did happen, we didn't do it. We don't know anything about it. If you can prove we did it, then it was a mistake. Also, this is not what I would describe as an actual attack. There were no boots on the ground. No weapons fire. No one died. Economic sabotage is exactly the kind of thing that happens during a cold war precisely because it is easily deniable.

Well said. Spoken like an old school CIA analyst. To clarify for the three-letter gubmint haters out there, that is high praise.

I see a Cold War as a sort of heavy mechanical 'flywheel' that begins to move because it is fed with an assortment of motive and sentiment. It may be started by some actual conflict such as competition for resource or political influence in contested regions, or difference of ideology and the merest suspicious of intent of conquest... it feeds also on distrust... but once it get

Loose connections?

[rduke15]

appear to have at least loose connections with officials of the Russian government.

I thought any important criminal gang in Russia had much more than "loose connections with the gorvernment.

Corporate Wars

[Jim Sadler]

How long before we see corporations forming hacking groups off shore dedicated to destroying competition by breaching security and causing chaos? Causing chaos to a competitor is one way to steer profits towards a companies cash registers. Can't you see Burger King trying to wipe out McDonalds?

Re:

[CaptainDork]

I agree with you, but a question I'm more concerned about is, "How long before we see corporations tighten up their stuff?"

Personally, I don't see that happening until some major lawsuits are filed.

Re:

[mlts]

Here is the problem rearing up with two nasty heads:

The first is that security has no ROI, and has a relatively trivial financial cost. A major breach happens, a company feeds a PR firm some cash, says they boosted security [1], they toss all affected a year's subscription to some monitoring service, and that is that. Come a lawsuit, there isn't much to sue because they can easily throw their hands up and say that the hackers would get through anything.

Which brings up the second point. In the 1990s, a ro

Re:

[CaptainDork]

I'd mod you +1 if I could. Well said.

Re:

[koan]

This has been going on as long as the Internet has existed, you are a bit slow on the uptake.

Re:

[sgt_doom]

You're not particularly current, dood, it has been going on for quite some time now.

Re:

[BringsApples]

I like the way you think, because it's insightful. But in this case, who would be the competition to The Federal Reserve?

Re:

[Deadstick]

And this would be a bad thing how?

Re:

[eric_harris_76]

That was sarcasm, I assume. (But thanks to Poe's Law, I don't put much confidence in that assumption.)

We do all know that the movie "Demolition Man" was fiction, right?

Worry less about motive - worry about apathy

[QuasiSteve]

http://www.bloomberg.com/news/... [bloomberg.com]

tl;dr: People think it'll happen at other banks anyway, plus it costs money to change banks, thus they don't care enough and stick with Chase (JP Morgan).
And, naturally, how does the stock market react to that? "The bankâ(TM)s shares climbed 2.5 percent to $60.30"

Start making people care that a company they do business with has been hacked, maybe then people will actually bother to worry about motives.

Re:

[matthekc83]

I would like to be able to care less. We need to get the ssn to have a changable security pin attached to it. It looks like your information has been compromised sorry you will have to change your pin... darn.

Can We All Just Get Along?

[MellowBob]

No.

FUD. They don't even know.

[Vokkyt]

From the article:

"But much remains unanswered about the intrusion, including just who the hackers are, which other financial institutions were hit and why the hackers went down a path inside JPMorganâ(TM)s computer system that contained troves of customer information, but not financial data."

They have no motive, no indication of who, or why they did what they did. I agree with posters saying that it's officials throwing out a red herring to get everyone worked up over Russia instead of poor security.

Re:

[crunchy_one]

Spot on comment. TFA also fails to name the 10 financial firms that were allegedly attacked. The New York Times seems to be rapidly morphing into a US version of Russia Today. If there's any new cold war, it's clearly a propaganda war. And guess what? I don't give a flying fuck.

Re:

[Archtech]

Very much like the utterly unsubstantiated claims that Russia had something to do with the shooting down of MH17. John Kerry said that there was a mountain of evidence, but so far not a single shred of evidence has been published by the US government. The Russians released a good deal of hard evidence, including radar traces and the locations of known BUK units. Basically, MH17 was shot down either by cannon fire from one or more fighters, or by a BUK SAM. The only fighters in the air that day were Ukrainia

Re:

[xdor]

Perhaps the recently revealed large and widespread payments made by the CIA to American media

Citation please.

Re:

[Archtech]

"Citation please".

That's an easy game to play, isn't it? Tell you what: first, since it was mentioned first, YOU give ME a citation for some hard evidence substantiating the claim of Russian involvement in the J.P. Morgan affair.

And if you want a citation for the CIA allegations, Google is your friend.

Re:

[Archtech]

Although I did go to the CIA Web site and searched for "propaganda media". This is what I saw next:

Search is Temporarily Unavailable

Search is temporarily unavailable. We apologize for the inconvenience. Please try again later.

Posted: Aug 27, 2012 04:31 PM
Last Updated: Aug 27, 2012 04:31 PM

Re:

[khallow]

while the rebels may have captured a BUK unit, it had no radar.

Unless of course, the system actually had a radar contrary to your assertion. For example, they could have gotten a radar from their buddies in Russia and maybe a few trainers too. It's worth noting here that there weren't problems with airliners getting shot down by BUK SAMs until the rebels got a hold of one. Maybe they got framed, but maybe a poorly trained SAM crew killed 298 innocent people.

Then there's the interference with the crash site by the rebel side. You'd think they'd be more forthcoming, i

Re:

[znrt]

which "rebel side"? you mean the fascist western backed coup d'état that overthrew a legitimate elected government and threw the country into civil war?

and you guys still speak of "cold" wars? lol.

Boot them from the Swift system for a few weeks

[EmperorOfCanada]

If this turns out to be provably true then an easy solution would be to boot Russia from the swift system for a few weeks. That would basically mean that no international transactions could take place large or small. Or if they wanted to make it interesting they could restrict swift transactions to minor amounts so that the very richest would be impacted while the average Russian would feel a lesser impact.

But large food importers and whatnot would be massively impacted.

But before this can be done Euro

Re:

[koan]

Or maybe we can goose step Dimon to jail, and burn JPMorgan to the ground financially.

Re:

[Bob_Who]

Or maybe we can goose step Dimon to jail, and burn JPMorgan to the ground financially.

Now that's the first pertinent response I've yet heard.

Why should we trust anything JP Morgan says when they are proven liars and frauds and they are protected by policy. The fact is that bank robbery has been conveniently been redefined as identity theft, therefore JP Morgan has less at stake when they say this happened. One minute they're secure, the next, they're not but they can point to the perpetrators with certainty. Yeah right, I trust them, its the commie gangster's fault. Not one US Banker

Re:

[hjf]

Argentina has VAST reserves of gas and oil. They just don't have the money to exploit them.

Re:

[hjf]

Argentina paid to repsol MORE than its market value estimation.
And what they did was not "illegal". If it was, they couldn't have done it.

FUD

[mike.mondy]

Posting to undo moderation mistake.

shades of incompetence actually...

[Karmashock]

Secure your fucking networks or get off the internet.

Hackers: "This is our world now."

[matthekc83]

Hackers movie quote "This is our world now. The world of the electron and the switch" I think at some point nearly everthing will get "hacked"... we can cry about it or we can make things less fun. Hackers movie quote "There is no right and wrong. There's only fun and boring." We need treaties to ensure those commiting crimes can be prosecuted across borders with long boring sentences. Hackers movie quote "Kid, don't threaten me. There are worse things than death, and uh, I can do all of them." For the lo

Wagging the dog?

[ErikTheRed]

"People briefed on the matter" generally equals "deliberate leak, to move public opinion or at least test the waters."

Re:

[koan]

Then you're an idiot, that's reason for war.

Propaganda

[koan]

Sounds like one of many smears to come up prior to some sort of "intervention" in Russia or just the usual "he said she said" crap our (and other) government/s are famous for.

Re:

[Anonymous Coward]

When the leader of your country is connected to the mafia, declares himself leader and starts taking over other countries this is very much different from a country that has democratic elections and holds freedom as an ideal. I'm sure there are great people in Russia, but it is no united states.

Are you describing President Obama and the United States of Amerika (now KKK) or President Putin and Russia (formerly part of the CCCP)? Any pretence of freedom in USA has long been exposed an a fallacy. Dear Leader Barack Hussein Obama is merely jealous that Putin wrestles with Siberian tigers, swims in icy waters, and does not bow and scrap to the Master of the Plantation.

Re:

[k6mfw]

Goes to show what's happened with this country. it seems much of Obama's policies are extension of Bush. Both parties put highest priority on surveillance of the people and in meantime more and more people struggling financially with feeling both political parties and higher ups are more interested in themselves rather than what's good for the country. Then there's foreign policy debacles in Middle East. Perfect timing for Putin to expand his empire and ISIS to go on their rampage because now it's difficult

Re:

[wiredlogic]

You shouldn't delude yourself into thinking that the US has free elections or in any resembles a true democracy or republic. Just look at how almost all states ban non-party affiliated voters from participating in primaries even though they use public resources to collect those votes.

Technology should be designed to be *secure*

[Anonymous Coward]

And system administrators have to stop acting like implementing security is a bad idea, shouldn't happen, and won't work. You can argue that 'the business' always comes first no matter what. However that doesn't work if 'the business' puts security at risk. If your business is cloned by a foreign competitor your screwed, if your bank accounts drained your screwed, if you really think 'the business' always comes first your wrong. It highly depends on what the risks from being comprised are.

I'm the CEO of a small technology company and I get that security is hard. Hell- I'm not even living up to my own high standards. However its hard to do that when *nobody* else is. Despite that I'm trying to put security first during our web site revamp (the most critical aspect of this company, if our security is hosed in a slow planned manor we'll never recover).

One good example is the 'security' systems (two factor authentication) aren't even well thought out and are done such to be 'cheap' rather than effective. This will only stop the bottom feeders temporarily. It won't stop Russian organized crime from doing live intercepts via botnets to gain access to bank accounts and once the tools are sold to typical criminals the entire system is back in the hands of the criminals. I have nothing against the criminals, and considering that I'm the *primary victim* (100% of the shares, business owner here) when fraud happens I'm in a position where I should be more pissed than anyone (and it happens too often).

But I'm not because the problem isn't the criminals. It's the lack of security and enablement by critical institutions (government and corporate). What I have a problem with is visa, master card, american express, the banks, and the government. They are not implementing the systems we actually need.

1. True security, not halfway crap 'wireless WEP/WPA/WPA2', if your bank's site gets 'hacked' and a known vulnerability w patch exists at the time, then the bank should be shut down, assets seized, etc, none of this proprietary bull shit either. All defaults should be set to off or specifically added to a white list after approval only (on the client side, things like macros, etc).

2. The systems should be built on hardware that there is source code for and audited. BIOS, firmware components, etc. Right now this doesn't even really exist unless we're talking about *a consumer router* or two. Some individual components may qualify as being pretty close to 100% free software friendly and source code available though.

3. Calling a cell phone for authentication is NOT a security measure. It's merely a nuisance for the customer (particularly when the cookies make it such you can steal them and never actually have to authenticate via phone anyway). We need something closer to secure ID /w password (on the secure ID token itself). This would prevent the ability of a middle-man (or make it much more difficult) because the identification number revealed by the token to authenticate can only be used once and you can be confident that the person involved in accessing it did authorize it. Now it won't prevent some attacks where the system is compromised, but you can thwart unauthorized wire transfers by adding a screen that shows information to a wire transfer such that the user has to approve it on the device itself. This way the attacker could not simply show the user a different set of data than the one he authorized by entering the token number during authentication.

Russian diversity

[wonkey_monkey]

I've seen the former Soviet Union evolve into an amazingly diverse culture that is well represented on the Internet. This culture has grown alongside our own and runs the gamut of characters: tirelessly brilliant open source software developers, lots of regular folk

But no pooftahs [youtube.com].

Re:

[mjwalshe]

In Russia we have many types of criminals "simples yes" - as Lord Leveson sort of said perception is a bitch

Blame Russia to distract the plebs

[Anonymous Coward]

Hurr durr, someone hacked us and exposed our incompetence. Let's blame Russia so the masses don't take it out on us.

Attribution?

[Lawrence_Bird]

Fail, fail and more fail. The press, three letter agencies and especially the congress critters love to a) inflate the threat and b) give attribution when none is possible. This book [amazon.com] is extensively researched and has footnotes out the ying-yang. Bottom line is attribution at a level where one can say "these guys did it" is rare and even saying "probably did it" is difficult. And beware that many of the players involved have multiple objectives and even relationships with each other (when convenient).

Curious reframing within a reframing . . .

[sgt_doom]

. . . after all, JPMorgan Chase (Chase) is the largest criminal organization in America today, and together with Goldman Sachs, they effectively run and control the US Department of the Treasury, while existing as the major forces of the Federal Reserve Bank. If the Russian mob was attacking the American mob, it is really about the mobs, now isn't it?

Ah yes, The Times

[fustakrakich]

The war mongering Randolph Hearst of the new century, and the old one.

I'm rooting for the Russians

[Mister Liberty]

I hate banks. So should you.

Re:

[Billly Gates]

Well when your account has no money and your boss has to let you go due to no line of credit available to the finance department to pay your monthly salary I think your mind will change.

Cooperation

[Sciath]

Going after criminals (in foreign countries) requires the cooperation of that government. Russian government (like the U.S.) is corrupt enough to impede any legitimate investigations. Especially when government officials are benefitting from the criminal activities. In the case of Russia, there is little incentive for Putin to cooperate.

Diversity of russians

[bombman]

I find it an odd chain of logic, that because the Russian netizens are a diverse bunch, then it excludes that
a crime syndicate with ties to persons in the Russian government are involved in some specific incident of hacking.
Both can easily be true at once.