It turns out the JPMorgan Chase hack could have been prevented if it had consistently applied its existing security standards. JPMorgan uses two-factor authentication to prevent this kind of attack (users need both their password and a one-time pin to get access), but one of the servers was never updated. Someone found the insecure server and used it to break into JP Morgan’s network, report Matthew Goldstein, Nicole Perlroth, and Michael Corkery for The New York Times.
JPMorgan hack didn’t use a zero-day exploit
When the attack happened the assumption was that only a very sophisticated hacker, possibly state sponsored, could have broken through the bank’s sophisticated security, and Russia was widely suspected to have been involved. That’s not to say that the person or group behind the hack isn’t skilled, but it didn’t involve exploiting a zero-day vulnerability or an innovative angle of attack to pull off and the FBI no longer considers the Russian government to be a suspect in the case.
JPMorgan says that they haven’t seen any incidents of fraud stemming from the security failure, and that while personal information was compromised the hackers didn’t gain access to any account details.
Remaining skeptical about allegations of state-sponsored cyber-attacks
Even though the JPMorgan case may seem like old news, it’s worth bearing in mind as people discuss the alleged North Korean hack of Sony Pictures Entertainment (a subsidiary of Sony Corp). The FBI has linked the attack to North Korea (not necessarily the government) because of the type of malware used, the IP addresses involved, and some other technical details, but security experts aren’t convinced.
“Maybe the NSA has some secret information pinning this attack on the North Korean government, but unless the agency comes forward with the evidence, we should remain skeptical,” writes Bruce Schneier on his blog. “I personally think it is a disgruntled ex-employee, but I don’t have any more evidence than anyone else does.”
Schneier also points out that the hackers didn’t mention North Korea until it was already in the press, which means they could just be intentionally feeding the hysteria (if that sounds strange to you, read up on LulzSec). That’s not to say North Korea wasn’t involved, but we should be a bit more hesitant to accept claims of cyberwarfare.
