The Week in SSL – JPMorgan Spear Phishing, Patching USBs, and Xbox Tech Stolen

Here is a recap of the major news stories this week on the topic of SSL and network security.

JPMorgan Bracing For ‘Spear Phishing’ Campaign

Elizabeth MacDonald of Fox Business reports that “JPMorgan Chase officials are bracing for a massive spear phishing campaign launched by cyber thieves who broke into the bank’s servers in the biggest cyber-attack on a U.S. bank to date. Cyber criminals thought to be emanating from Russia or former Soviet satellite states hacked into numerous JPMorgan computer servers and accessed contact information like names and email addresses for 76 million customers and seven million small businesses.” While it is believed that no sensitive banking information was stolen, the customer data that was taken could be used for “spear phishing” attacks. Possible outcomes of successful phishing attacks would include theft of additional data from the customers, including login information, as well as the potential for uploading Trojans and malware. J.P. Morgan is warning its customers to be extra vigilant with emails that they receive regarding their accounts.

Hackers May Have Targeted at Least 13 Firms

This article in the Wall Street Journal reveals new information that as many as 12 other financial companies may have been targeted by the same hacker or group of hackers that stole information from J.P. Morgan. Emily Glazer, Danny Yadron, and Daniel Huang report that investigators believe that at least one of those other institutions was likewise compromised. “We are at a very critical juncture,” said Benjamin Lawsky, head of New York’s financial-services regulator. “There is a very serious, persistent threat that is not something that should just go on a list of things to do.” This article speculates that the hacker(s) were likely casting a wide net as they probed the companies for weaknesses. The J.P. Morgan hack is described as follows: “Hackers appear to have originally breached J.P. Morgan’s network via an employee’s personal computer, people close to the investigation have said. From there, the intruders were able to leapfrog to additional data because the machine accessed had administrative privileges, the people said.”

That Unpatchable USB Malware Now Has a Patch … Sort Of

Last week we reported on a USB exploit that could deliver a malware payload in an undetected manner. Andy Greenberg of Wired is now reporting that this “unpatchable” flaw inherent in most USB drives may have a fix. Security researchers Adam Caudill and Brandon Wilson, who released information about the exploit, have now issued a fix “meant to prevent firmware changes altogether. Their patch code, which they’ve released on Github, does this by disabling ‘boot mode’ on a USB device, the state in which its firmware is meant to be reprogrammed. Without boot mode, Caudill says it would become far harder to pull off any BadUSB attack, and would virtually eliminate the threat of malware that spreads from USB stick to PC and vice versa. ‘By making that change, you can drastically change the risk associated with this,’ says Caudill. ‘It makes any type of self-replicating, worm-type malware very, very difficult to use.’” This fix still can be defeated with a technique known as “pin shorting” that allows physical tampering to hard reset the firmware. Their low tech defense against this is to simply coat the innards of the drive with epoxy, which would result in the destruction of the drive if a hacker attempted to tamper with it.

Hackers charged with stealing over $100m in US army and Xbox technology

Microsoft, the US Army, and game manufacturers were all infiltrated by a group of four hackers, as reported by The Guardian’s Nicky Woolf. The hackers are said to have stolen over $100 million worth of intellectual property from their targets. “The four, aged between 18 and 28, are alleged to have stolen Xbox technology, Apache helicopter training software and pre-release copies of games such as Call of Duty: Modern Warfare 3, according to an indictment dating from April that was unsealed on Tuesday.” The four had been jointly charged with conspiracy to commit computer fraud, copyright infringement, wire and mail fraud, identity theft, and theft of trade secrets. Authorities believe that one of the defendants (who has already pled guilty), David Pokora, represents the first conviction of a foreign-based hacker on charges of stealing domestic trade secrets.

Hackers from India, Pakistan in full-blown online war

Kim Arora of the Times of India reports that Indian and Pakistani hackers are engaged in a full-blown “online war”. Over a dozen websites have been defaced as part of the virtual conflict. “A hacker group calling itself ‘Indian Hackers Online Squad’ hacked and defaced the website of the Pakistan’s main opposition party, Pakistan People’s Party…with one “Bl@k Dr@gon” claiming credit. On Thursday, the Pakistan railways website was hacked as well, the second time this year, with the same name appearing on the defaced page.” There have been no reports so far of material damage or data theft from the hacks.