Attacks/Breaches
2/6/2013
11:41 AM
50%
50%

Fed Breach: Attackers Exploited Website Product Vulnerability

Federal Reserve confirms breach of database with banking executive contact information for use in a natural disaster.

The Federal Reserve confirmed that it suffered a successful hack attack, but said attackers didn't breach critical systems.

The confirmation from the country's central banking system appeared to validate assertions made by the hacktivist group Anonymous, which claimed credit for the Sunday breach and subsequent data dump of what it described as "over 4,000 U.S. bank executive credentials."

Despite confirming the breach had occurred, however, the Fed offered scant additional details, except to note that attackers exploited a vulnerability in one of its products. "The Federal Reserve System is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product," a spokeswoman from the Federal Reserve Bank of Richmond said in an emailed statement.

"The exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve System," according to the statement.

[ How do you define cyberwarfare? Read Uncertain State Of Cyberwar. ]

A Fed spokeswoman didn't immediately respond to an emailed request for more detailed information about the breach. But the Anonymous-delivered data dump, a.k.a. dox, included about 4,600 records, including people's names, email addresses, IP addresses, login IDs, salted and hashed -- not plain text -- passwords, as well password salts.

Reuters reported that the hacked database included contact information for banking personnel, and was designed to be used in the event of natural disaster. In particular, it allows banks that have been affected by tornados or flooding to alert the Fed, which can assess the potential impact to the country's banking system.

According to a message distributed by the Fed to its employees, the breached database was part of its Emergency Communication System (ECS), and warned that personal information, including mailing addresses, business and cellphone numbers, as well as business email addresses and fax numbers, were contained in the database. "Some registrants also included optional information consisting of home phone and personal email. Despite claims to the contrary, passwords were not compromised," according to the Fed's message, a copy of which was obtained by Reuters. It reported that the Fed later verified the authenticity of the message to ECS members.

Claims that no passwords were compromised suggests that officials at the Fed don't believe that the salted and hashed passwords included in the data dump could be decrypted by attackers.

The Fed data was leaked by Anonymous as part of its Operation Last Resort, which seeks "reform of computer crime laws, and the overzealous prosecutors." The campaign was launched last month after Internet activist Aaron Swartz committed suicide. He faced significant jail time after prosecutors indicted him on 13 felony counts, including violating the Computer Fraud and Abuse Act (CFAA), for downloading millions of academic journal articles without authorization.

But prosecutors' application of CFAA in the case has been widely criticized for being too heavy handed. It also sparked questions from the House Oversight and Government Reform Committee's chairman Darrell Issa (R-Calif.), and ranking member Elijah Cummings (D-Md.), who wrote to attorney general Eric Holder requesting that he brief Congress on the case, as well as the use of CFAA by prosecutors. The legislators gave Holder a Monday deadline for scheduling the briefing.

According to Anonymous, its "Federal Reserve minidrop" -- referring to the dox -- was meant to focus attention on the Monday deadline, as well as broader efforts to reform CFAA.

Anonymous appeared to be keeping a close eye on the Justice Department's response: "6pm: tick tock, tick tock on the Holder clock. Really think you can brush off the House Oversight Committee AND Anonymous?!" read a Monday tweet posted by the Operation Last Resort account on Twitter.

A Department of Justice spokeswoman Wednesday, however, confirmed via email that "the department has been in contact with the committee and plans to brief them on the matter," although she didn't specify when the briefing was set to occur.

Likewise, a tweet from Rep. Issa said, "For those who missed my earlier #AaronSwartz update: @TheJusticeDept has agreed to brief @GOPoversight @OversightDems on Swartz case." A spokesman for Rep. Issa, reached by phone, wasn't immediately able to confirm when the briefing was scheduled to take place.

In this all-day InformationWeek and Dark Reading Virtual Event, experts and vendors will offer a detailed look at how enterprises can detect the latest malware, analyze the most current cyber attacks, and even identify and take action against the attackers. Attendees of the Hackers Unmasked event will also get a look at how cybercriminals operate, how they are motivated -- and what your business can do to stop them. It happens Feb. 7. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.