dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
824
share rss forum feed


FF4m3

@rr.com

Confirmed: Anonymous Hacked The Federal Reserve

Anger rises as Fed confirms Anonymous hack, downplays US bank emergency system breach - February 6, 2013:

The Federal Reserve has confirmed Sunday's Anonymous hack; ZDNet has learned the exposed information is from thousands of Fed emergency system bank contacts.

After Anonymous posted sensitive credentials of over 4,600 banking executives to a government Web site on Super Bowl Sunday, the Federal Reserve acknowledged the attack in a Tuesday morning statement to affected individuals and press.

However, while a spokesperson from the Federal Reserve told The Huffington Post that Anonymous' claim to the hack's importance was "overstated," information security professionals that serve financial institutions are saying the exact opposite—and are not best pleased with the Federal Reserve.

ZDNet has now learned that the compromised and exposed database belongs to The St. Louis Fed Emergency Communications System.

Chris Wysopal, CTO and co-founder at Veracode, unpacked the hack and calls it "a spearphising bonanza" and "the most valuable account dump by quality I have seen in a while" in the post Stolen Data Headers From The Federal Reserve Hack.

According to The Banker's Advocate, ECS is the emergency communications system for seventeen states, with plans to add seven new states this year.

ECS estimates it holds 40 percent of America's state-chartered banks as its users.

The ECS was deployed in 2008 and is the means by which bank supervisory agencies such as the Bank Department and the Federal Reserve Supervision and Regulation functions to communicate with financial institutions during emergencies.

The ECS system enables agencies to establish two-way communications channels with institutions during a crisis to exchange critical information; crises such as natural or man-made disasters (weather, fire, and so on), "chemical biological events or threats," and "events affecting the financial markets."

In official replies to constituents, the Federal Reserve stated no actual account information was compromised, and that this incident was not of significant importance.

Jon Waldman, a senior information security consultant whose firm specializes in serving small-to-medium sized financial institutions—such as those on the list—told ZDNet and explained his anger at The Fed's downplaying of the incident, saying:

The Federal Reserve is simply incorrect by saying there's not account details on the list. I've seen that list and it is absolutely rife with account details. Usernames and hashed passwords are included with salts. Anyone worth their weight in the technology field can decrypt a hashed password. The Fed did state that the passwords weren't "compromised," but that just means that they weren't listed out in plain-text.

As an information security expert, it's my official position that there was a blatant and irresponsible lack of tact and urgency in the response by the Federal Reserve to the individuals and institutions contained in this list. I'd go as far as to say they have irrevocably LIED to their constituents here. Granted, there's no immediate threat of funds-transfer or additional data loss, but there's certainly an imminent danger here to each and every one of those accounts that have been exposed.

This list is, in fact, still publicly available via a Chinese website, meaning all of this information is still out there for anyone with cyber-crime propensities to access and utilize.
Waldman's outrage aside, he explained the risk to individuals on the list thusly:
Both the institutions and the individuals contained in this list WILL be specific targets of Social Engineering and hacking attacks. Not only was business information (phone numbers and emails) included in this list, but personal information (cell numbers and email addresses) as well. Additionally, the External IP address information (the IP address that identifies that host or institution on the Internet) for these institutions was contained in this list.

Thus, if you happen to be a precarious individual involved with some back-door dealings, including attempts to swindle individuals out of money or confidential information, and I presented you with a list of 4000+ phone numbers of financial institutions to call in an attempt to extract customer account information or internal bank information from tellers or employees, wouldn't you be pretty interested?

How about a list of 4000+ banking executives to whom one could send a targeted phishing email? 4000+ bank executive personal cell phone numbers to call? What could one do with that? Calls or text messages? Or even better, a list of 4000+ External IP Addresses that one could hack or perform a denial of service attack against.



kvn864

join:2001-12-18
Sun City, AZ
kudos:1

1 recommendation

This quickly gets annoying. I just cant believe the government agencies have no power to stop/prevent such an event.



goalieskates
Premium
join:2004-09-12
land of big

1 recommendation

reply to FF4m3

And people like to talk about stupid users ... sheesh.

So when will DHS kick the Federal Reserve's butt?



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

said by goalieskates:

And people like to talk about stupid users ... sheesh.

So when will DHS kick the Federal Reserve's butt?

Probably about 10 minutes after the discovery that Janet Napolitano's personal information was compromised via the Fed intrusion and scattered all over the Internet Highway...
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


DigitalXeron
There is a lack of sanity

join:2003-12-17
Hamilton, ON

3 edits

1 recommendation

reply to kvn864

said by kvn864:

This quickly gets annoying. I just cant believe the government agencies have no power to stop/prevent such an event.

It's not as much that they don't have the power, it is that implementing BCPs (Best Current Practices) on security is often deemed by management as "too expensive", "unneeded" or "too many resources", "too restrictive/cumbersome" among other excuses.

For these agencies to implement BCPs, there would be a requirement to lose some of the convenience for both their employees and management themselves. For instance among the conveniences that would be lost: being able to carry unencrypted data or the like on storage devices, laptops and so forth (User excuse: "Encryption is too hard") or to be able to carry that data off site in the first place to work on it at home (Management Excuse: "Staff need to be able to finish their work to remain productive"), staff bringing personal devices onto the agency network (User excuse: "I need to be in constant contact with my contacts to be able to deal with issues quickly") or the like.

The problem is that at the end of the day, the government agencies themselves are not held accountable and make the illusion that every successful breach is by someone who was too good for their defences and the only recourse is to send law enforcement after them. Meanwhile internal operating procedures don't change (despite claims that they do) and the same sort of breaches happen again and again.

There is an underlying political issue to all of this that is outside of the scope of operational information security (and is more of a law/policy/governmental structure issue), but suffice it to say: US Government agencies are run much like corporations: There can never be fault with them, it's always someone else's fault that the attacks are successful, even if they can be guarded against.
--
--Kradorex Xeron
[an error occurred while processing this signature]


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

reply to FF4m3

If data security loomed as large in management's mind as justifying and obtaining next year's budget from Congress, security practices would be a lot tighter... and violations at any agency level would carry genuine and well-demonstrated sanctions (demotion, dismissal, major fines, prison time, etc). The actual scenarios that keep unfolding fall well short of that... and they demonstrate that data security is simply not truly a top priority. At least, not in most governmental agencies. Put another way, if behavioral lapses and decisions of the responsible managers and those beneath them directly caused the loss of a good chunk of that agency's budget for the following year, heads would roll and/or people would go to jail. That just doesn't happen with most governmental data security breaches and lapses, and if it does, it's always the lowest member of the custodial food-chain who is sacrificed to get things to quiet back down.

In these digital-compromise flaps, the reality remains that it's "other people's data" that's generally involved. And that creates a lack of any true sense of personal 'ownership' by the custodians (at all levels) entrusted with the data and providing for its secure storage. The only thing that stimulates a true sense of ownership is if it is actually made to become the custodial chain's data as well. That is accomplished by making the pain of its loss/compromise to be at least as directly felt by the custodians as the sum of all the pain (real or potential) of all those people/entities whose data it really is or who may be directly impacted by its loss. But until the entire food-chain of custodial staff take ownership of data security just as seriously as they do with budget, the problem will remain and, given the growth of hacking techniques, keep growing. Moreover, the war for data security is being fought (and lost) one agency at a time... the broader the horizon, the less the sense of real data ownership one sees within government custodial chains.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville