Anger rises as Fed confirms Anonymous hack, downplays US bank emergency system breach

Anger rises as Fed confirms Anonymous hack, downplays US bank emergency system breach

Summary: The Federal Reserve has confirmed Sunday's Anonymous hack; ZDNet has learned the exposed information is from thousands of Fed emergency system bank contacts.

SHARE:

After Anonymous posted sensitive credentials of over 4,600 banking executives to a government Web site on Super Bowl Sunday, the Federal Reserve acknowledged the attack in a Tuesday morning statement to affected individuals and press.

However, while a spokesperson from the Federal Reserve told The Huffington Post that Anonymous' claim to the hack's importance was "overstated," information security professionals that serve financial institutions are saying the exact opposite—and are not best pleased with the Federal Reserve.

ZDNet has now learned that the compromised and exposed database belongs to The St. Louis Fed Emergency Communications System.

Update February 6, 1:45pm PST: Chris Wysopal, CTO and co-founder at Veracode, unpacked the hack and calls it "a spearphishing bonanza" and "the most valuable account dump by quality I have seen in a while" in the post Stolen Data Headers From The Federal Reserve Hack.

Federal_Reserve
The Federal Reserve headquarters in Washington, DC. (Credit: Dan Smith/Wikimedia Commons)

According to The Banker's Advocate, ECS is the emergency communications system for seventeen states, with plans to add seven new states this year.

ECS estimates it holds 40 percent of America's state-chartered banks as its users.

The ECS was deployed in 2008 and is the means by which bank supervisory agencies such as the Bank Department and the Federal Reserve Supervision and Regulation functions to communicate with financial institutions during emergencies.

The ECS system enables agencies to establish two-way communications channels with institutions during a crisis to exchange critical information; crises such as natural or man-made disasters (weather, fire, and so on), "chemical biological events or threats," and "events affecting the financial markets."

Read this

Anonymous posts over 4000 U.S. bank executive credentials

Anonymous posts over 4000 U.S. bank executive credentials

Anonymous appears to have published login and private information from over 4000 American bank executive credentials its Operation Last Resort, demanding US computer crime law reform.

Sensitive information on thousands at state-charter banks and credit unions—including login information, credentials, IP addresses, and contact information—was listed in a spreadsheet and posted to a government site, then announced and claimed by the "Operation Last Resort" faction of Anonymous.

The government Web site, which was compromised and used to post the spreadsheet, The Alabama Criminal Justice Information Center, did not respond to requests for comment from the Washington Post.

The page—with URL filename "oops-we-did-it-again"—remained accessible into early Monday morning PST. A cached version of the page was still available as of Tuesday afternoon, as well as a copy of the raw text placed on Pastebin at the time of the attack.

A Federal Reserve spokesperson told Reuters exactly what it sent in the email to affected individuals, saying: "The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a Web site vendor product."

Contact from the Federal Reserve to affected individuals was independently verified to ZDNet by a source, who spoke on terms of confidentiality.

ZDNet's source provided a copy of Federal Reserve's email to those on the list, revealing that affected institutions were notified about a breach and that their passwords to the affected system (a Web site with a contact database for banks to use during a natural or man-made disaster) would be changed.

Tuesday morning, those on the list, along with news media, received this information from The Federal Reserve Bank of St. Louis:

The Federal Reserve System has learned that user contact data from its Emergency Communications System (ECS), a system used by the Federal Reserve and state banking departments to notify depository institutions of operational status in the event of natural or other disasters“ was obtained and posted on the internet by an outside group that exploited a temporary vulnerability in a vendor website product. The vulnerability was remediated quickly after discovery, and the incident did not impact any critical operations of the Federal Reserve System.

We are bringing this information to your attention because you are a registrant for ECS. Information obtained from the registrants consisted of mailing address, business phone, mobile phone, business email, and fax. Some registrants also included optional information consisting of home phone and personal email. Despite claims to the contrary, passwords were not compromised, but nonetheless, have been reset as a precautionary measure.

The source told ZDNet, "The banks on the list were not compromised."

GIS-Fed-Geocommons

 GIS map of compromised banks made with Geocommons.

The St. Louis Fed Emergency Communications System services American state member banks and credit unions.

Its Web site reads:

Welcome to the Emergency Communications System (ECS), a free service that allows your financial institution to receive important communications from your regulatory agency during crises such as a natural or man-made disasters, or events that dramatically affect the financial markets.

Officials who are selected as your institution's emergency contacts simply register by creating a user id and submitting relevant contact information. After registering, individuals can update their contact information at any time, allowing the contact information to remain current and accurate.

Please note that registrants are only contacted in the event of an emergency and during semi-annual tests. This information is not shared with anyone else other than your respective regulatory agency.

Following attacks on U.S. government Web sites last weekend, Anonymous claimed the new "Operation Last Resort" .gov Web site strike just as the Super Bowl football game ended.

The OpLastResort campaign demands "reform of computer crime laws" and investigation of "overzealous prosecutors" in response to the suicide of young hacker, anti-SOPA activist, and Reddit co-founder Aaron Swartz.

On January 25, Anonymous commandeered the U.S. Federal Sentencing Web site to distribute Operation Last Resort "warheads" (encrypted files that Anonymous suggested contain sensitive information).

The ussc.gov attack and defacement was followed by the government regaining the Web site only temporarily, until Anonymous reclaimed the government property with a mocking video game of Asteroids.

The U.S. Sentencing Commission Web site remains disabled and "under construction" as of this writing.

In official replies to constituents, the Federal Reserve stated no actual account information was compromised, and that this incident was not of significant importance.

Jon Waldman, a senior information security consultant whose firm specializes in serving small-to-medium sized financial institutions—such as those on the list—told ZDNet and explained his anger at The Fed's downplaying of the incident, saying:

The Federal Reserve is simply incorrect by saying there's not account details on the list. I've seen that list and it is absolutely rife with account details. Usernames and hashed passwords are included with salts. Anyone worth their weight in the technology field can decrypt a hashed password. The Fed did state that the passwords weren't "compromised," but that just means that they weren't listed out in plain-text.

As an information security expert, it's my official position that there was a blatant and irresponsible lack of tact and urgency in the response by the Federal Reserve to the individuals and institutions contained in this list. I'd go as far as to say they have irrevocably LIED to their constituents here. Granted, there's no immediate threat of funds-transfer or additional data loss, but there's certainly an imminent danger here to each and every one of those accounts that have been exposed.

This list is, in fact, still publicly available via a Chinese website, meaning all of this information is still out there for anyone with cyber-crime propensities to access and utilize.

Waldman's outrage aside, he explained the risk to individuals on the list thusly:

Both the institutions and the individuals contained in this list WILL be specific targets of Social Engineering and hacking attacks. Not only was business information (phone numbers and emails) included in this list, but personal information (cell numbers and email addresses) as well. Additionally, the External IP address information (the IP address that identifies that host or institution on the Internet) for these institutions was contained in this list.

Thus, if you happen to be a precarious individual involved with some back-door dealings, including attempts to swindle individuals out of money or confidential information, and I presented you with a list of 4000+ phone numbers of financial institutions to call in an attempt to extract customer account information or internal bank information from tellers or employees, wouldn't you be pretty interested?

How about a list of 4000+ banking executives to whom one could send a targeted phishing email? 4000+ bank executive personal cell phone numbers to call? What could one do with that? Calls or text messages? Or even better, a list of 4000+ External IP Addresses that one could hack or perform a denial of service attack against.

There are many unanswered questions, and larger questions loom. We will report updates as they happen.

Topics: Security, Government US, Legal

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • "Temporary vulnerability"

    I do believe most hacks and infections are based on some "temporary vulnerability" (not including, apparently, stuff put out by Adobe, Oracle and Microsoft, that is....)

    Also I would like to know who's and what's of this "Web site vendor product" that's referred to: is this a product in other places in government or commercially?
    JustCallMeBC
  • Didn't "they" also claim that Enron COULD NOT......

    manipulate the California power market?
    :-(
    kd5auq
  • Anonymous rocks

    Few organizations get so much publicity for their causes. Our government is so corrupt and mutated from its original purpose that I tend to like anyone who messes with them. When the people of this nation finally rise up against the tyrannical puppets in Washington, Anonymous will play a major role in their downfall.
    BillDem
    • "Rise up against the tyrranical puppets..."

      And do what with them?

      Vote them out? Fine with me.

      Throw them in prison? Only if they've broken the law, in which case, they should be prosecuted like any other suspected criminal.

      Lynch them? Absolutely not.
      John L. Ries
    • You do know

      When you say Government you are refering to the people of the United States? Whatever power the current government is perceived to weild is just an illusion. Anarchists have no place or role in a lawful society.
      ammohunt
      • The truth is in the middle

        The government and political class are separate from the people, but the politicians ultimately answer to the voters (if they can be bothered to pay attention), so we voters are ultimately responsible.
        John L. Ries
        • yes and no

          As long as the Electoral College can (and has more than once in the past) effectively reversed the vote of the people. Then that argument loses weight.
          On top of that, as long as the bulk of necessary changes to FIX the system must be voted-upon and ratified by those IN the system. Little will truly change with as corrupt as things currently are.
          jonrosen
          • There have been times...

            ...that a candidate has one a plurality (not a majority) of the popular vote, but lost the electoral college, but it doesn't happen very often (only once in the last century) and only if the election is very close. And I don't think it's ever happened that a presidential candidate has gotten a majority of the popular vote and lost the electoral college.

            Arguably, it might be better if the President was actually chosen by the electors as the framers intended, as it would force more attention onto Congressional elections, and allow the President to spend more time doing his job, instead of running for reelection (with its attendant fundraising). It would also allow the President to be a much less partisan figure than he is today. It seems to me that who makes the laws is a much more important aspect of democracy than is who implements them.

            For the record, I favor requiring presidential electors to be chosen by proportional representation, instead of plurality winner-take-all as is done at present; with the House choosing between the top two instead of the top three if no candidate gets a majority, and each Representative getting one vote instead of each state.

            I don't favor direct election of the President, because it would require transferring responsibility for running elections from the states to the feds.
            John L. Ries
      • You should also know...

        The political servants that were honestly voted in (Democrats) and most of those that "cheated" their way to political office via gerrymandering etc. (Republicans) represent their corporations that they sponsor, not the "government" for the people as "the people" of our nation have found out especially post Dubya.
        This is no longer a "lawful society" since the ones voted in AFTER voted in, did the exact opposite of the will of the people to represent and their trusted sole purpose is to be "public servants for the people" of these United States------ one will reap what they sow and people will no longer allow their hard earned money (if they are fortunate enough to make any income in this God forsaken-greedy-Oligarch nation) to be used against them. Anarchists will keep rising and they the "law makers" are working hard to turn this into a 3rd world country---- the "spending problem" the neo cons are screaming about during Pres Obama's term yet NONE of us heard a peep out of them during drunken Dubya Bush spending spree carnage, that myself and future generations are now punished with paying off. So ammohunt you stating: "Whatever power the current government is perceived to weild is just an illusion." means that the power of "the people" in reality have no power? sthu and grow some brains someday
        Di Schnell
        • Wonderful

          I find your argument to be both completely non-pretentious and incredibly objective. Oh, wait, you're just playing the exact same biased finger pointing game that has been getting us nowhere fast for the last 60years. Why don't you take a look at some hard numbers and percentages before spewing off a string of garbage like that? Not saying I like the repubs, or any politicians for that matter, but it doesn't hurt to look at every side of the issue, friends. Facts > Opinion. Every single time.
          64bitdude
  • BillDem you do know its all Loverock Davidson fault

    He left his tell net port open and he's still trying to re comile something or another.
    Over and Out
  • Good coverage VB. Keep it up, please.

    One wonders if the broad vulnerability Anon et al. allude to is related to a compromised contractor bidding problem for the .gov?

    I agree that a graphic/primer on Anon et al.'s armed wing would be useful at this point? I read and interesting interview with Chris Doyon about the full-time membership and activity of this element; maybe you could get a follow up with him?

    But i wouldn't wait too long...

    They may have made themselves eligible as drone targets under the recently released POTUS memo.
    0853RV3R
  • Security Expert on Encryption.

    This guy is an Information Security Expert huh? in what other manner does he propose that sensitive data be stored? He makes it sound as though deriving a hashed password is a trivial matter an experienced guy can just do over his lunch break or free time. You can't decrypt a hash because it's not, you know, encrypted.
    NINJASQUID
  • Alabama's idea of computer security?

    "Y'all turn off the monitor, 'n that way no one can see what's on y'alls computers."
    Mo Reno
    • Republicans bank on stupid ppl to keep them relevant

      For real, there would not be a "neo con party" ahem club for the thieves that keep stealing the tax payers $$$ to fund their corporate masters as is used NOT to help the american ppl, if it were not for all the "derps" aka stupid idiots out there that keep voting for them and against theirs and my and the rest of americans BEST INTERESTS!! These kind of ppl are just too stupid to get it and stop voting for these thugs that have created an organized crime ring to screw everyone below them----
      Di Schnell
      • Partisan drivel...

        ...and completely irrelevant to the comment to which you responded.

        BTW: I'm a registered Democrat, though I'm an unorthodox one and haven't been terribly partisan since I was a teenager.
        John L. Ries
      • You come across as....

        Someone who really isnt intelligent enough and probably should be banned from voting.
        Funkmonkey
  • Stay classy, Fed

    "The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a Web site vendor product."

    What a bunch of douchenozzles. Blaming it on a 3rd party vendor when they didn't secure their own site. Is it any wonder why everyone hates the Fed?
    Swarley
  • federal reserved

    Following the release of August's disappointing jobs report, the Federal Reserve said that it would think about further efforts to jump-start the country's economic recovery. Thursday, its ideas for that economic stimulation effort were made public. Get a cash-advance to help pay for things while you are looking for a job.
    apprenticeme