The JPMorgan Breach and the Problem with Passwords

Andy Harris

Earlier this week US investigators charged three men after a multi-year cybercrime campaign led to the theft of personal information belonging to 100 million financial customers. It’s already being described by Bloomberg as the “largest cyber breach” ever and has sent shock waves around the financial services industry. But while this was a sophisticated criminal operation spanning several continents and potentially hundreds of operatives, what struck me was the fact that some of the techniques used by the hackers appeared to be far from advanced.
In fact, regular readers of this blog will probably know what I’m going to say next. Much of it appears to have come down to exploiting the same old basic vulnerabilities in commonly used password log-in systems.
Just too easy
The details of this daring cyber campaign are still fully to emerge. What we know is those indicted made upwards of $100 million from their activities, which involved stock manipulation, credit card fraud and even running illegal online gambling sites. Most pertinently, they managed to hack several major financial institutions and publishing companies which are likely to spend millions or even hundreds of millions on cybersecurity – most notably JPMorgan.
How exactly they managed to infiltrate these companies is not detailed in many reports, although one of the main reasons for illegally obtaining customer information appears to have been to market their pump-and-dump share scheme to rather than to commit ID fraud or steal financial information. However, Wired explained the following:
The unidentified hacker used multiple methods to break into the networks, including brute-force attacks. At one point, Aaron also tricked a victim in the US into providing login credentials to ETrade and Scottrade networks. The hacker then used this access to locate customer databases on the networks.
Brute forcing is a commonly used technique made easier by virtue of the fact that most password systems require the user to choose their own credential. Inevitably they choose an easy-to-remember password, which makes it easier to brute force or crack by hackers with tools readily available on the darknet.
We aren’t told if the “victim” in the second sentence was a system administrator or a user. But it highlights another fundamental flaw with most password systems – the human. If you can be tricked via a simple bit of social engineering – on the phone, by email or even in person – into handing over that credential, then the keys to your account are in the hands of the cybercriminal. In the case of a privileged user like an IT administrator, of course, it’s much more serious, because their log-ins could provide access to an entire organisation’s computer systems. Don’t believe your IT staff are any savvier when it comes to spotting this kind of thing than your average user. The attackers know what they’re doing, and frequently do their research beforehand to make any spear phishing email look as realistic as possible. Incidentally, they’re also not averse to using simple-to-remember or even default passwords on privileged accounts to make their job easier. Unfortunately, this also makes the job of cracking that credential child’s play.
Privileged Access Management
The answer is to remove the human from the whole password management process. If they don’t have a password to remember, they can’t accidentally divulge it to a hacker and they can’t make it easy to guess or crack. Osirium’s Privileged User Management platform does just that. We manage and store your IT staff’s usernames and passwords so they’re out of the reach of attackers, and then provide full Single Sign On for easy access. What’s more, we use long, randomly created credentials which makes brute force attacks impossible.
For those organisations who are still concerned about sophisticated external and internal cyber attacks on their systems, there’s Osirium’s Privileged User Analytics. It’s designed to give you the visibility you need into your privileged user accounts, to spot if something doesn’t look right.
If audacious, large scale cyber attacks like the ones highlighted this week teach us anything it should be that good security must start with locking down password-based risk. And to do that, you need to outsource that password management to a trusted third party.