An internal Federal Reserve site was briefly hacked on Sunday, the US central bank told news outlets on Tuesday.
ZDNet reported on Monday that one or more people claiming to be affiliated with Anonymous apparently published login and private information bled from over 4,000 US bank executive accounts.
As is often the case in these supposedly Anonymous-affiliated hacks, however, “Anonymous” in this instance translates to “whatever.”
The Fed hack was initially claimed to have been carried out in the name of a new Anonymous operation called Operation Last Resort, which purportedly demands US computer crime law reform in the wake of Aaron Swartz’s suicide.
For what it’s worth, another Anonymous account or subgroup, Anonymous X-SecT, has begun calling out the person or people behind Operation Last Resort as frauds, according to media reports.
At any rate, the Somebody/ies who hacked the Fed targeted a database belonging to The St. Louis Fed Emergency Communications System, an emergency communications system for banks in 17 states, according to ZDNet.
The website allows bank execs to update the Fed if their operations are compromised by disasters such as storms or flooding, thus helping the Fed to assess the overall impact of the event on the banking system.
The hackers published the bankers’ personal details on Sunday night during the Super Bowl, including login information, credentials, IP addresses and contact information, and posted a link to the information on Twitter.
Reuters quoted the Fed’s comment:
"Some registrants also included optional information consisting of home phone and personal email. Despite claims to the contrary, passwords were not compromised."
The Fed has reported that its operations were unaffected by the breach.
Bloomberg quoted a statement from the organization in which it laid blame for the security hole on an unnamed “website vendor product”.
The statement was from Richmond Fed IT office spokesman Jim Strader. He said:
"The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product. … This incident did not affect critical operations of the Federal Reserve System. … The exposure was fixed shortly after discovery and is no longer an issue."
This isn’t the first time the Fed’s been breached. A Malaysian man was arrested in 2010 over a credit card scheme after he hacked into and damaged 10 computers associated with a Federal Reserve training system.
No data or information was compromised in that attack, the Fed told Bloomberg at the time.
Subsequently, as the Huffington Post reports, Federal Reserve developers in 2011 discovered a cross-scripting bug in Adobe ColdFusion software, used by some Federal Reserve Bank websites.
Adobe released a patch to fix the weaknesses, which could have been exploited in a cross-site scripting attack that could grant an attacker high-level access privileges to sensitive information by way of injecting malicious client-side scripts.
It’s not known whether Sunday’s breach has anything whatsoever to do with more recent ColdFusion vulnerabilities that were patched on January 15.
So at this point, we know about as much about the identity of the (maybe) culpable software as we do about the identity of the Somebody/ies who hacked the Fed.
That won’t stop conjecture, of course, but in lieu of knowing exactly went awry, perhaps the best takeaway is for everyone to stay on top of patching software.