Fed hack highlights software patching problem

The recent hack of a Federal Reserve's website highlights an ongoing problem many organizations face in trying to keep software up to date with security patches, experts says.

The Fed acknowledged on Tuesday that hackers stole non-critical information. The Anonymous group OpLastResort claimed responsibility for the break-in, which occurred on Sunday night. The group claimed the personal data of 4,000 bank executives was taken.

In a statement released to the media, the Fed said the hackers exploited a "temporary vulnerability in a website vendor product." The flaw was patched soon after it was discovered.

Keeping up to date with software patches has been a longtime problem for large organizations with complex computer systems, like the Fed. Because there are more updates than many organizations can get to in a timely manner, fixes are prioritized according to the importance of the software.

"It's a fairly constant problem that we've had for a number of years and it isn't going away," said Glenn Chisholm, chief security officer for Cylance.

In the case of the Fed, reports indicated the hackers broke into a non-public site that ran on top of a contact database used in reaching bank execs during a natural disaster.

A copy of a message by the Fed that was obtained by Reuters warned that data posted on the Web included mailing addresses, business phone numbers, mobile phone numbers, business email address and fax numbers. The message had been sent to the Fed's Emergency Communications System.

While potentially damaging to the bank execs, the data was less critical than other information held by the central bank, such as sensitive financial data or confidential policy communications. Therefore, it makes sense that software storing the data had a lower priority.

[Also see: Anonymous had bad month, but no less reliable]

"While it may not seem so to the bankers whose information was compromised, when you put it into perspective -- we are talking about the Federal Reserve -- this data is really the low-hanging fruit," said Al Pascual, security analyst for Javelin Strategy & Research.

While unconfirmed, media speculation had the flaw as a known vulnerability in Adobe ColdFusion software, which is used by some Federal Reserve websites. Fed developers discovered the bug in 2011, The Huffington Post reported.

The data that was stolen from the Fed and posted on the Web could likely become a headache for the bank execs. Hackers could use the information to craft email that would be more likely to trick recipients into clicking on an attachment or a link to a malicious website. Such email campaigns are called spear phishing.

"The path into most organizations these days is through spear phishing," Chisholm said.

The Anonymous group OpLastResort reported the hack first on Twitter. While early media reports said login credentials, including hashed passwords and IP addresses, were stolen, a Federal Reserve representative later discounted the claims as "overstated."

OpLastResort is waging a protest campaign against government prosecution of Aaron Swartz, the Internet prodigy who committed suicide on Jan. 11. Swartz was set to go to trial in April for allegedly stealing millions of academic articles from the online architve JSTOR. If convicted, he would have faced 35 years in prison.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsFederal Reserve BankData Protection | MalwarehackOpLastResortlegalsoftwaredata protectioncybercrimeAnonymous

More about Adobe SystemsJavelinReuters Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place