Fed stays secretive after Anonymous hack

U.S. government officials, from President Obama to the ranks of Congress, regularly claim they want voluntary, substantive sharing between the public and private sectors on cyberattacks, vulnerabilities and breaches. Given that, the Federal Reserve is not on message following a Super Bowl Sunday hack.

The Fed acknowledged this week only what it had to -- that one of its websites had been breached on Super Bowl Sunday by a group calling itself OpLastResort, which is tied to the hacktivist collective Anonymous.

But the Fed's claim that only contact information of more than 4,000 bank executives had been compromised, along with refusing to provide details on other crucial information, drew both scorn and anger from the security community.

In statements issued to various media outlets, the agency downplayed the seriousness of the event. Reuters quoted a spokeswoman as saying the Fed was aware that information was obtained by exploiting a temporary vulnerability in a website vendor product. "Exposure was fixed shortly after discovery and is no longer an issue," she said. "This incident did not affect critical operations of the Federal Reserve system." All the people affected by the breach had been notified, she added.

But the agency wasn't saying much else. It wouldn't identify what website had been hacked. Eventually, several publications including ZDNet said the exposed database belongs to The St. Louis Fed Emergency Communications System (ECS), which is the emergency communications system for 17 states, with an estimated 40% of America's state-chartered banks as its users.

[Also see: Obama weighs executive order on cybersecurity]

It wouldn't identify the "website vendor product." And it said claims by the hackers that they had obtained login credentials, including hashed passwords and IP addresses were "overstated." The Fed did say the passwords had been reset as a precautionary measure.

But Chris Wysopal, cofounder and CTO of Veracode, counters that the Fed was understating the case. Writing on the Veracode blog, Wysopal listed the information headers in the data dump that included names, addresses, phone numbers, emails, IP addresses, login IDs and salted/hashed passwords.

"[This] is a spear phishing bonanza and even a password reuse bonanza for whoever can crack the password hashes," he wrote. "This is about the most valuable account dump by quality I have seen in a while."

ZDNet quoted Jon Waldman, a senior information security consultant at Secure Banking Solutions, saying the Fed is "simply incorrect by saying there's not account details on the list."

"I've seen that list and it is absolutely rife with account details," Waldman told ZDNet. "Usernames and hashed passwords are included with salts. Anyone worth their weight in the technology field can decrypt a hashed password."

Waldman accused the Fed of "a blatant and irresponsible lack of tact and urgency in the response ... I'd go as far as to say they have irrevocably LIED to their constituents here."

Wysopal told CSO Online: "The problem extends beyond Federal Reserve-controlled systems. I spoke to the IT security personnel at one financial institution affected, and they were making sure the executive changed his password on all systems they controlled in case the password was reused there. It would also extend to any personal accounts the banking executive victims have."

Waldman agreed. "Both the institutions and the individuals contained in this list WILL be specific targets of Social Engineering and hacking attacks," he told ZDNet.

Mark Baldwin, principal researcher and consultant at InfosecStuff, said he hasn't seen anything to make him think OpLastResort is overstating their hack. "The impact of this breach is debatable, but the fact of the breach itself and the information disclosed seems pretty cut and dried," he said.

Wysopal also complained in his blog post that the Fed wouldn't identify either the vendor or the product that had been hacked. "I wish they would just come out and say exactly what the problem was so that other users of the 'website vendor product' could check to see if they are vulnerable and ask the vendor how to fix it," he wrote. "The attackers already know the vulnerability so it is likely many more sites are being exploited with the same vulnerability."

"Who exactly is the Fed protecting by not releasing this information?" Wysopal wrote.

Chester Wisniewski, a senior security adviser at Sophos, guessed that product in question was Adobe's Cold Fusion, which had flaws fixed only two weeks ago. "I am sure the change controls at the Fed don't allow that fast of a response after a patch," he said.

Wysopal told CSO Online he could understand the Fed not sharing details if this was not a common technology, but he said they could at least say it was a unique vulnerability to them. "Voluntary information sharing is hurt every time there is a breach and there is the perception by security professionals that if they knew what had happened they could secure their organizations better with that information, yet there is no sharing," he said.

Baldwin also said he was troubled at the Fed's lack of transparency. "It makes me wonder if this was more a case of a patch that should have been applied, but wasn't, or possibly an admin account with default credentials that were not changed," he said. "I suspect it was something pretty basic or else they would be more willing to share the details."

Wisniewski agreed. "We have to collaborate if we want to improve," he said. "They may not want to point the blame, but it could help others protect themselves if we knew the details. Hiding things never helps."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags data sharingapplicationsFederal Reserve BankData Protection | Malwarelegalsoftwaredata protectioncybercrimeAnonymousFed

More about Adobe SystemsCSOECSExposureReuters AustraliaSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place