Cybersecurity

JPMorgan’s Form 8-K to Investors: We’ve Been Hack-Mapped!

EW-blog_JPM-5DayChart_03OCT2014JPMorgan’s Form 8-K filed on Thursday with the Securities and Exchange Commission advises:

On October 2, 2014, JPMorgan Chase & Co. (“JPMorgan Chase” or the “Firm”) updated information for its customers, on its Chase.com and JPMorganOnline websites and on the Chase and J.P. Morgan mobile applications, about the previously disclosed cyberattack against the Firm. The Firm disclosed that:

• User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.

• The compromised data impacts approximately 76 million households and 7 million small businesses.

• However, there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.

• As of such date, the Firm continues not to have seen any unusual customer fraud related to this incident.

• JPMorgan Chase customers are not liable for unauthorized transactions on their account that they promptly alert the Firm to.

The Firm continues to vigilantly monitor the situation and is continuing to investigate the matter. In addition, the Firm is fully cooperating with government agencies in connection with their investigations.

According to ZDNet, a forensic security firm suggests the bank’s users’ accounts are now at greater risk of compromise and that password changes and two-factor authentication should be implemented to address the risk.

However, the 8-K’s wording indicates a different security risk altogether as the users’ passwords and Social Security numbers are not compromised.

The disclosure of information compromised combined with earlier reporting about the breach more closely matches a description of that collected by National Security Agency’s TREASURE MAP intelligence collection program. TREASURE MAP gathered information about networks including nodes, but not data created by users at the end nodes of the network. The application delineated the path to the ends. and physical ends, not merely virtual ends of the network. Continue reading

Someone Treasure Mapped JP Morgan

Treasure Map

Map the entire Internet — any device, anywhere, all the time. — NSA TREASUREMAP PPT

Last week, The Intercept and Spiegel broke the story of NSA’s TREASUREMAP, an effort to map cyberspace, relying on both NSA’s defensive (IAD) and offensive (TAO) faces.

As Rayne laid out, it aspires to map out cyberspace down to the device level. As all great military mapping does, this will permit the US to identify strategic weaknesses and visualize a battlefield — even before many of adversaries realize they’re on a battlefield.

Against that background, NYT provided more details on the penetration of JP Morgan’s networks that has been blamed on Russia. The new details make it clear this was about reconnaissance, not — at least not yet — theft.

Over two months, hackers gained entry to dozens of the bank’s servers, said three people with knowledge of the bank’s investigation into the episode who spoke on the condition of anonymity. This, they said, potentially gave the hackers a window into how the bank’s individual computers work.

They said it might be difficult for the bank to find every last vulnerability and be sure that its systems were thoroughly secured against future attack.

The hackers were able to review information about a million customer accounts and gain access to a list of the software applications installed on the bank’s computers. One person briefed said more than 90 of the bank’s servers were affected, effectively giving the hackers high-level administrative privileges in the systems.

Hackers can potentially crosscheck JPMorgan programs and applications with known security weaknesses, looking for one that has not yet been patched so they can regain access.

Though the infiltrators did observe metadata — which, the NSA assures us, is not really all that compromising.

A fourth person with knowledge of the matter, also speaking on condition of anonymity, said hackers had not gained access to account holders’ financial information or Social Security numbers, and may have reviewed only names, addresses and phone numbers.

I’m not trying to make light of the mapping of one of America’s most important banks. Surely, such surveillance may enable the same kind of sophisticated attack we launched against Iran, having done similar kind of preparation.

But we should keep in mind what the US has been doing as we consider these reports. If and when Russia or Germany catch us conducting similar reconnaissance on the networks of their private companies, they will surely make a big stink, as we have been with JP Morgan (though the response to the Spiegel story has been muted enough I suspect Germany’s intelligence services knew about that one, particularly given NSA’s reliance on Germany for targets in Africa).

But if the US is going to treat digital reconnaissance as routine spying (and the President’s cyberwar Presidential Policy Directive makes it pretty clear we consider our own similar reconnaissance to be mere clandestine spying), then we should expect the same treatment of our most lucrative targets.

That doesn’t make it legal or acceptable. But that does make it equivalent to what we’re doing to the rest of the world.

One final point. If you’re going to map the entire Internet, any device, anywhere, by definition you need to map America’s Internet as well. Are we so sure our own Intelligence Community hasn’t been snooping in JP Morgan’s networks?

Treasure Map: It’s About Location, Not Gold

Der Spiegel and The Intercept published collaborative reporting this weekend on another Snowden document — this one referring to a National Security Agency program named TREASURE MAP.

The most chilling part of this reporting is a network engineer’s reaction (see here on video) when he realizes he is marked or targeted as a subject of observation. He’s assured it’s not personal, it’s about the work he does – but his reaction still telegraphs stress. An intelligence agency can get to him, has gotten to him; he’s touchable.

The truth is that almost any of us who follow national security, cyber warfare, or information technology are potential subjects depending on our work or play.

The metadata we generate is only part of the observation process; it provides information about our individual patterns of behavior, but may not actually disclose where we are.

TREASURE MAP goes further, by providing the layout of the network on which any of us are generating metadata. But there is some other component either within TREASURE MAP, or within a complementary tool, that provides the physical address of any networked electronic device.

The NSA has the ability to track individuals not only by Internet Protocol addresses (IP addresses), but by media access control addresses (MAC addresses), according a recent interview with Snowden by James Bamford in Wired. This little nugget was a throwaway; perhaps readers already assumed this capability has existed, or didn’t understand the implications:

…But Snowden’s disenchantment would only grow. It was bad enough when spies were getting bankers drunk to recruit them; now he was learning about targeted killings and mass surveillance, all piped into monitors at the NSA facilities around the world. Snowden would watch as military and CIA drones silently turned people into body parts. And he would also begin to appreciate the enormous scope of the NSA’s surveillance capabilities, an ability to map the movement of everyone in a city by monitoring their MAC address, a unique identifier emitted by every cell phone, computer, and other electronic device.

[emphasis added]

In simple terms, IP addresses are like phone numbers — they are assigned. They can be static; a printer on a business network, for example, may be assigned a static address to assure it is always available to accept print orders at a stationary location. IP addresses may also be dynamic; if there’s an ongoing change in users on a network, allowing them to use a temporary address works best. Think of visits to your local coffee shop where customers use WiFi as an example. When they leave the premise, their IP address will soon revert to the pool available on the WiFi router. Continue reading

Keith Alexander Wants to Patent Having No Knowledge

Have you noticed that every time someone covers all the patents Keith Alexander is getting for his cybersecurity boondoggle, the number of patents grows?

In this installment, it is 10.

IronNet is working with lawyers to draft as many as 10 patent applications in which the NSA would have no stake. Alexander said the “real key” to the patents was a person who never worked for the agency.

[snip]

In addition to dispensing advice, IronNet is working with lawyers to draft as many as 10 patent applications that will include Alexander as co-inventor on one and “maybe a few others,” he said. 

Of course, no matter how many patents it will be, Alexander is still left with the problem of explaining either why this isn’t stuff taxpayers paid for at NSA, or why Alexander didn’t implement these whiz-bang solutions while in charge of NSA.

So he’s inching closer and closer to one that might work: he’s going to patent having no knowledge.

Current cybersecurity strategies assume the defender knows what threats are present, and can quickly identify them by their digital profile, known as their signature. Alexander said IronNet’s approach is to counter those attacks as quickly as possible, without that prior knowledge.

“All the patents and stuff that people work on today assume knowledge of the threat,” he said. “What it means is a new approach. Something that’s never been used.”

It’s surely a novel approach — attacking perceived threats before you’re sure what that threat is. I’m just not sure how well it’s going to work.

While Alexander is busy shoring up his 10, 11, 12 patents, I think I’ll rush to copyright my new novel, in which a hubristic cybersecurity profiteer takes down the entire banking system by attacking core finance functions he identifies as attacks.

The Article 5 Cyber-Trap

The other day, I noted the dodginess of the evidence behind claims that Russia had launched a sophisticated cyberattack on JP Morgan. I suggested one reason people like Mike Rogers might be crying wolf was to support a plan to reimburse the banks in case of a massive attack.

But there’s another, even more obvious explanation.

NATO just added cyberattacks to its definition of attacks that would merit a unified response. Citing Russia’s Special Forces tactics (the same ones we’re using in something like 80 places around the world), including its cyberattacks, General Phillip Breedlove today ratcheted up the fear of Russia. (h/t Joanne Leon)

Russia’s utilization of troops without national uniforms — the so-called “little green men” — and perhaps “the most amazing information warfare blitzkrieg we have ever seen in the history of information warfare” were part of the first Russian push in Ukraine, Breedlove said.

NATO members, especially the Baltic states that border Russia, must take into account such tactics as allies prepare for future threats, he said. That means steps should be taken to help build the capacity of other arms of government, such as interior ministries and police forces, to counter unconventional attacks, including propaganda campaigns, cyberassaults or homegrown separatist militias.

So go back to the alleged JP Morgan attack no one seems to have any evidence to substantiate. It was often attributed as arising somewhere in Eastern Europe. Which could be Russia — or Ukraine. Both countries, in fact, have significant numbers of organized criminals that launch fairly sophisticated cyberattacks.

How convenient, then, to ratchet up the cyberfear when unattributable attacks from the general region have been made a casus belli for the entire alliance.

Lying Keith the Kapitalist

On Sunday I asked who was crying wolf — JP Morgan itself, or Mike Rogers — about the claimed JP Morgan attack that might not be a serious attack at all and had been attributed to Russia without yet proof of that.

So who should crawl out of his sinecure but Keith Alexander?

Keith Alexander, the NSA director from 2005 until last March, said he had no direct knowledge of the attack though it could have been backed by the Russian government in response to sanctions imposed by the U.S. and EU over the crisis in Ukraine.

“How would you shake the United States back? Attack a bank in cyberspace,” said Alexander, a retired U.S. Army general who has started his own cybersecurity company to sell services to U.S. banks. “If it was them, they just sent a real message: ‘You’re vulnerable.’”

[snip]

The hackers who attacked JPMorgan, the biggest U.S. bank, were “a group with exceptional skills or a nation-state backed group,” Alexander said in an interview yesterday at Bloomberg’s Washington bureau.

[snip]

“If you wanted to send a message, do you think that was significant enough for the U.S. government to say one of the best banks that we have from a cybersecurity perspective was infiltrated by somebody?” Alexander asked. “And if they could get in to do that, even if they never use it, they could get in and collapse it. Does that cause you concern?”

Note how Alexander admits he has no personal knowledge of the attack but then opines about the skills of the hackers and goes from there to hypothesize how this was a response from Russia?

So maybe it wasn’t JP Morgan or Mike Rogers crying wolf. It sure looks like Alexander is willingly feeding the poorly evidenced claims about this hack.

But don’t worry, Keith Alexander doesn’t have a conflict of interest at all.

Internet Cats, Weaponized: US Defense Contractor Consulted on Targeted Network Injection Surveillance for Commercial Sales Abroad

[photo: liebeslakritze via Flickr]

[photo: liebeslakritze via Flickr]

First, a caveat: I would not click on the links embedded in the story I’m recommending (I’m this || close to swearing off embedded links forever). I don’t trust traffic to them not to be monitored or exploited.

But as Jeremy Scahill tweeted last evening, read this piece by WaPo’s Barton Gellman on malicious code insertion. This news explains recent changes by Google to YouTube once it had been disclosed to the company that exploits could be embedded in video content as CitizenLab.org explains:

“… the appliance exploits YouTube users by injecting malicious HTML-FLASH into the video stream. …”
“… the user (watching a cute cat video) is represented by the laptop, and YouTube is represented by the server farm full of digital cats. You can observe our attacker using a network injection appliance and subverting the beloved pastime of watching cute animal videos on YouTube. …”

The questions this piece shake loose are Legion, but as just as numerous are the holes. Why holes? Because the answers are ugly and complex enough that one might struggle with them. Gellman’s done the best he can with nebulous material.

An interesting datapoint in the first graf of the story is timing — fall 2009.

You’ll recall that Google revealed the existence of a cyber attack code named Operation Aurora in January 2010, which Google said began in mid-December 2009.

You may also recall news of a large batch of cyber attacks in July of 2009 on South Korean targets.

The U.S. military had already experienced a massive uptick in cyber attacks in 1H2009, more than double the rate of the entire previous year.

And neatly sandwiched between these waves and events is a visit by a defense contractor CloudShield Technologies engineer from California, to Munich, Germany with British-owned Gamma Group. Continue reading

NSA’s Plans to Excuse Their Hacker Fuck-Ups: Blame Israel

Wired has a very fascinating interview with Edward Snowden. You should go read the whole thing, among other things, for the swell picture of Snowden posing with Michael Hayden at some black tie event in 2011.

But I wanted to point to this incident.

One day an intelligence officer told him that TAO—a division of NSA hackers—had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead—rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet—although the public didn’t know that the US government was responsible. (This is the first time the claim has been revealed.)

Inside the TAO operations center, the panicked government hackers had what Snowden calls an “oh shit” moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.

Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”

I assume — but am not certain — this was the outage in question. If so, the response is instructive. At least 3 US-based Internet security firms reported that Syria had brought down the Internet. Were they making stuff up, unable to determine what really happened, or just repeating something US officials told them?

I’m just as interested that — just 6 months after David Sanger’s reporting on how the Israelis let StuxNet escape…

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.

“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”

NSA’s hackers joked they might hide a major fuck-up by blaming Israel.

I’m sure that’s all just a coinkydink, though.

Keith Alexander’s Cyber Circle Jerk Gets Worse

As I noted earlier today, last year Keith Alexander’s CyberCommand forces got their asses handed to them by civilians in a cyber war game.

“They were pretty much obliterated,” said one Capitol Hill staffer who attended the exercise. “The active-duty team didn’t even know how they’d been attacked.”

Nevertheless, here is one of the things he told Ken Dilanian in his second “exclusive” interview attempting to explain why he should get rich in the private sector capitalizing on 9 years of fear-mongering about cyber.

“If I retired from the Army as a brain surgeon, wouldn’t it be OK for me to go into private practice and make money doing brain surgery?” he asked. “I’m a cyber guy. Can’t I go to work and do cyber stuff?”

Alexander’s story has changed a bit since his last attempt  to explain himself, to Shane Harris. The number of patents he’ll get expanded from 9 to 10.

His firm is developing as many as 10 patents, he said, and has secured contracts with three clients he declines to name.

And he claims — after apparently not challenging the underlying $1 million a month claim to Harris — that his rates were always overblown.

Reports of his firm charging $1 million a month for consulting services are not accurate, he said, though he declined to disclose his firm’s fees.

“That number was inflated from the beginning,” he said.

But that’s not the best bit. In addition to revolving door shadow regulator Promontory Financial Group (which goes unmentioned in both stories) and the Chertoff Group, Dilanian reveals who gave Alexander the advise he could get rich off serving the last 9 years in a top national security position: Someone who spent those same years in a top national security position.

Lawyers at NSA and his private lawyers— including former FBI Director Robert Mueller, now with the Wilmer Hale law firm in Washington — have told him he is on firm legal footing, Alexander said.

These exclusives are all well and nice, but both of them ignore the reports about Alexander serving as the lead to set up a public-private partnership between the banksters and the national security state to infringe our privacy in order to keep the banks safe (heck neither mentions his known contract with SIFMA).

Until exclusives actually ask Alexander about the known thrust of this program, they’re going to help his credibility no more than the exclusives with the same journalists explaining NSA spying did.

The President Who Demanded Stanley McChrystal’s Resignation Is Not Sheltering the NatSec Bureaucracy

As I have repeatedly noted, I think President Obama will protect John Brennan — and the CIA more generally — because of the mutual complicity built in between CIA and the White House over covert ops.

It’s not just that CIA knows the full details of the drone killings Obama authorized on his sole authority. It’s also that the CIA is still protecting the Office of the Presidency’s role in torture by withholding from the Senate documents over which the White House might — but did not formally — claim Executive Privilege. Obama did the same thing when he went to some lengths to prevent a very short phrase making it clear torture was Presidentially-authorized from being released in 2009; it wasn’t just the Finding that still authorized his drone strikes the President was protecting, but the Office that George Bush sullied by approving torture.

I also think Obama will stand by Brennan because they have worked closely so long Brennan is one of Obama’s guys.

Bloomberg View’s Jonathan Bernstein doesn’t agree, however. After dismissing Conor Friedersdorf’s version of the mutual incrimination argument, he suggests Obama is simply demonstrating to the national security bureaucracy he’s on their side.

Obama is concerned -– in my view, overly so -– with demonstrating to the intelligence bureaucracy, the broader national security bureaucracy, and the bureaucracy in general, that he is on their side. The basic impulse to stand up for the people he appointed isn’t a bad one; nor is the impulse to demonstrate to the intelligence community that he is no wild-eyed peacenik softie who opposes the work they do. For one thing, he’s more likely to effect change in national security areas if experts in the government believe he’s at least sympathetic to them as individuals and to their basic goals, even if he questions some of the George W.Bush-era (or earlier) methods. For another, the ability of bureaucrats to hurt the president with leaks doesn’t depend on the existence of deep dark secrets. Every president is vulnerable to selective leaks and a drumbeat of steady negative interpretations from the bureaucracy.

And yet, overdoing support for the bureaucracy can have severe costs. On torture, for example, emphasizing the good intentions of those faced with difficult choices during the last decade makes sense. But failing to take action, and leaving bureaucrats with serious liabilities because the status of their past actions is unresolved, only may have made reassuring them of presidential support increasingly necessary. That’s not a healthy situation.

Again: some of the incentive to (at least at first) stand up for presidential appointees is inherent in the presidency, and a healthy thing to do even when the president believes people have misbehaved and should go. But throughout his presidency, Obama has been overly skittish when it comes to potentially crossing his national security bureaucracy, and I strongly suspect that torture and other Bush-era abuses are both part of the original cause and will cause more of that timidity down the road.

Obama has been overly skittish when it comes to crossing his NatSec bureaucracy?

First, as I have already noted, Obama was perfectly happy demanding David Petraeus’ resignation for fucking his biographer. While I have my doubts whether that was really the reason — and while by firing him, Obama undercut a potential 2012 rival — he didn’t shy away from firing a man with some of the best PR in DC.

You might also ask the 19 top Generals and Admirals Obama has fired (most with the help of Bob Gates; also note the 20th on this list is Petraeus) — so many that conservatives accuse him of “purging” — whether he’s squeamish about crossing the NatSec bureaucracy. And while Micah Zenko’s comment on Twitter is correct that intelligence officials have largely escaped this treatment, Obama seemed happy to use  Michael Leiter’s National Counterterrorism Center’s failure to stop the UndieBomb attack to fire then Director of National Intelligence Dennis Blair.

President Obama is not a man afraid to fire members of the national security bureaucracy.

The starkest contrast with Brennan’s treatment comes from the case of Stanley McChrystal.

Obama demanded McChrystal’s resignation not because his night raids were exacerbating extremism in Afghanistan. Not because many service members felt he had left them exposed. Not because, even then, it was clear the surge in Afghanistan was going to fail.

Obama demanded McChrystal’s resignation because Michael Hastings exposed McChrystal and his top aides (including Michael Flynn, who quit in April because of differences on policy) being insubordinate. Obama demanded McChrystal’s resignation because doing so was necessary to maintain the primacy of civilian control — like separation of powers, one of the bedrocks ensuring national security doesn’t trump democracy.

That, to me, is the important takeaway from comparing McChrystal’s fate with Brennan’s.

When a top member of the national security bureaucracy challenged the control of the civilian executive, he got canned, appropriately, in my opinion.

But when the Director of the CIA permitted his Agency to strike at the core of the separation of powers by investigating its overseers, Obama offered his support. Obama may have fired a top general for threatening Executive authority, but he has supported a top aide after he threatened Legislative authority.

You can come up with any number of explanations why Obama did that. But being afraid of taking on his National Security bureaucracy — as distinct from taking on the intelligence agencies, as Obama chose not to do when Clapper lied or when Keith Alexander oversaw the leaking of the family jewels even while getting pwned in his core cyberdefense capacity — is not the explanation.

Obama has proven to have no qualms about upsetting his national security bureaucracy. Just that part of it run covertly.

Emptywheel Twitterverse
bmaz Was there a singularity point in time where the Beatles taught the Stones how to really rock? Yes but maybe only one https://t.co/6UjoVAiMmw
6hreplyretweetfavorite
JimWhiteGNV RT @cnnbrk: Six charged in West Virginia water contamination. http://t.co/vm2ZJHoP3m.
6hreplyretweetfavorite
emptywheel @LemonSlayerUS As I noted, I'm pretty sure Graham was hanging around bc he was so involved in the 9/11 Inquiry.
6hreplyretweetfavorite
emptywheel RT @kgosztola: .@WashingtonPost editorial board protests Obama's "bailout" for Cuba http://t.co/VkAn3evvO6 Cause only Wall St firms deserve…
6hreplyretweetfavorite
JimWhiteGNV RT @BeschlossDC: Castro met Malcolm X in Harlem NYC 1960: #Reuters http://t.co/VHBo4i6r4r
6hreplyretweetfavorite
emptywheel How much in taxes does Sony pay the US, anyway?
6hreplyretweetfavorite
emptywheel @ramez Property w/o cautiousness.
6hreplyretweetfavorite
emptywheel @gr8tale You obviously didn't click through.
6hreplyretweetfavorite
JimWhiteGNV RT @jrgaillot: RT of you have had enough of @MarcoRubio pushing for a policy that has failed the Cuban people for half a century http://t.c…
7hreplyretweetfavorite
emptywheel I mean, John Brennan's abject failure to stop cyber attacks while Homeland Security Czar not mentioned in CIA hearings. But now? central
7hreplyretweetfavorite
JimWhiteGNV RT @mazdaki: University of Florida students hold candlelight vigil for #PeshawarAttack victims. Wall painted #PeshawarStrong #FB http://t.c…
7hreplyretweetfavorite
emptywheel I repeat: MI has offered to pay a man $48 M to coach football at a university but Leg refuses to tax enough to fill our potholes.
7hreplyretweetfavorite
December 2014
S M T W T F S
« Nov    
 123456
78910111213
14151617181920
21222324252627
28293031