Attacks/Breaches
2/5/2013
05:17 PM
50%
50%

Anonymous Claims Wall Street Data Dump

Hacktivist group publishes 4,000 passwords as part of Operation Last Resort campaign seeking revenge for the treatment of Internet activist Aaron Swartz.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
The hacktivist collective Anonymous said that it's published a document dump that targets executives at financial services firms.

"Now we have your attention America: Anonymous's Superbowl Commercial 4k banker d0x via the FED," said a Sunday tweet from Operation Last Resort. A followup tweet from the same Twitter channel said, "Yes we posted over 4000 U.S. bank executive credentials."

Operation Last Resort is the name for an Anonymous campaign that seeks "reform of computer crime laws, and the overzealous prosecutors," and which was launched after Internet activist Aaron Swartz committed suicide. Although Swartz had long battled depression, numerous people have come forward to criticize the Department of Justice's handling of his case, including prosecutors' apparent strong-arm tactics.

[ For more on Anonymous's recent exploits, see Anonymous DDoS Attackers In Britain Sentenced. ]

The Sunday dox – a.k.a. data dump -- appears to contain about 4,600 records, including people's names, email addresses, institutions, IP addresses and login IDs, as well as their salted and hashed password, including the salt that was used. The records stretch to nearly 700 pages, and per the Anonymous tweet, appear to have been obtained from the Federal Reserve System.

The "bankd0x" -- as Anonymous has dubbed it -- initially was published on Pastebin, as well as to the Alabama Criminal Justice Information Center website in an HTML file titled "oops-we-did-it-again.html." After the Alabama state government removed the page, Anonymous reposted it on what appeared to be a Chinese government website.

Is the data legitimate? A small, random sample of the published information revealed names and email addresses that do appear to be real. Other people who investigated the data also suggested that it was legitimate. "OK, I called a few of them," said one Reddit user. "What must be so problematic for the Federal Reserve is not the information so much as this file was stolen from their computers at all. The ramifications of that kind of loss of control is severe."

The timing of the financial data dump appears to have been designed to call attention to a Jan. 28 letter sent to Attorney General Eric Holder by two key members of the House Oversight and Government Reform Committee. Signed by committee chairman Darrell Issa (R-Calif.) and ranking member Elijah Cummings (D-Md.), the letter demands answers to seven questions related to the Swartz case, as well as prosecutors' use in general of the Computer Fraud and Abuse Act (CFAA), and their practice of issuing superseding indictments. The legislators gave Holder a deadline of Monday to schedule a related briefing with them.

The bankd0x isn't the first attack launched by Anonymous as part of Operation Last Resort. Last week, the group hacked the website of the U.S. Sentencing Commission, which establishes sentencing policies and practices for the federal courts, to add a hidden Asteroids game. The group also distributed an encrypted file "warhead," for which it promised to later distribute the decryption keys, unless its CFAA reform demands were met.

At press time, the U.S. Sentencing Commission's website resolved to a single page that said the website "is currently under construction," and that listed a handful of links and contact phone numbers.

Also last month, Anonymous defaced a Massachusetts Institute of Technology website, denouncing the charges that had been filed against Swartz, demanding that the CFAA be reformed, and calling for more open access to information.

Offensive cybersecurity is a tempting prospect. It's also way too early to go there. Here's what to do instead. Also in the new, all-digital Nuclear Option issue of InformationWeek: Military agencies worldwide are figuring out the tactics and capabilities that will be critical in any future cyber war. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kbuchs559
50%
50%
kbuchs559,
User Rank: Apprentice
2/6/2013 | 8:51:58 PM
re: Anonymous Claims Wall Street Data Dump
Why equate the Federal Reserve with "Wall Street" as the headline says? This data must be access info for the Federal Reserve systems.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.