Fed hack highlights software patching problem
- — 07 February, 2013 14:22
The recent hack of a Federal Reserve's website highlights an ongoing problem many organizations face in trying to keep software up to date with security patches, experts says.
The Fed acknowledged on Tuesday that hackers stole non-critical information. The Anonymous group OpLastResort claimed responsibility for the break-in, which occurred on Sunday night. The group claimed the personal data of 4,000 bank executives was taken.
In a statement released to the media, the Fed said the hackers exploited a "temporary vulnerability in a website vendor product." The flaw was patched soon after it was discovered.
Keeping up to date with software patches has been a longtime problem for large organizations with complex computer systems, like the Fed. Because there are more updates than many organizations can get to in a timely manner, fixes are prioritized according to the importance of the software.
"It's a fairly constant problem that we've had for a number of years and it isn't going away," said Glenn Chisholm, chief security officer for Cylance.
In the case of the Fed, reports indicated the hackers broke into a non-public site that ran on top of a contact database used in reaching bank execs during a natural disaster.
A copy of a message by the Fed that was obtained by Reuters warned that data posted on the Web included mailing addresses, business phone numbers, mobile phone numbers, business email address and fax numbers. The message had been sent to the Fed's Emergency Communications System.
While potentially damaging to the bank execs, the data was less critical than other information held by the central bank, such as sensitive financial data or confidential policy communications. Therefore, it makes sense that software storing the data had a lower priority.
[Also see: Anonymous had bad month, but no less reliable]
"While it may not seem so to the bankers whose information was compromised, when you put it into perspective -- we are talking about the Federal Reserve -- this data is really the low-hanging fruit," said Al Pascual, security analyst for Javelin Strategy & Research.
While unconfirmed, media speculation had the flaw as a known vulnerability in Adobe ColdFusion software, which is used by some Federal Reserve websites. Fed developers discovered the bug in 2011, The Huffington Post reported.
The data that was stolen from the Fed and posted on the Web could likely become a headache for the bank execs. Hackers could use the information to craft email that would be more likely to trick recipients into clicking on an attachment or a link to a malicious website. Such email campaigns are called spear phishing.
"The path into most organizations these days is through spear phishing," Chisholm said.
The Anonymous group OpLastResort reported the hack first on Twitter. While early media reports said login credentials, including hashed passwords and IP addresses, were stolen, a Federal Reserve representative later discounted the claims as "overstated."
OpLastResort is waging a protest campaign against government prosecution of Aaron Swartz, the Internet prodigy who committed suicide on Jan. 11. Swartz was set to go to trial in April for allegedly stealing millions of academic articles from the online architve JSTOR. If convicted, he would have faced 35 years in prison.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.