Editor’s Note: For information on federal regulation of cybersecurity, see Regulatory Cyber Security: The FISMA Focus IPD.
Summary: The Federal Reserve has confirmed Sunday’s Anonymous hack; ZDNet has learned the exposed information is from thousands of Fed emergency system bank contacts.
After Anonymous posted sensitive credentials of over 4,600 banking executives to a government Web site on Super Bowl Sunday, the Federal Reserve acknowledged the attack in a Tuesday morning statement to affected individuals and press.
However, while a spokesperson from the Federal Reserve told The Huffington Post that Anonymous’ claim to the hack’s importance was “overstated,” information security professionals that serve financial institutions are saying the exact opposite—and are not best pleased with the Federal Reserve.
ZDNet has now learned that the compromised and exposed database belongs to The St. Louis Fed Emergency Communications System.
According to The Banker’s Advocate, ECS is the emergency communications system for seventeen states, with plans to add seven new states this year.
ECS estimates it holds 40 percent of America’s state-chartered banks as its users.
The ECS was deployed in 2008 and is the means by which bank supervisory agencies such as the Bank Department and the Federal Reserve Supervision and Regulation functions to communicate with financial institutions during emergencies.
The ECS system enables agencies to establish two-way communications channels with institutions during a crisis to exchange critical information; crises such as natural or man-made disasters (weather, fire, and so on), “chemical biological events or threats,” and “events affecting the financial markets.”
Sensitive information on thousands at state-charter banks and credit unions—including login information, credentials, IP addresses, and contact information—was listed in a spreadsheet and posted to a government site, then announced and claimed by the “Operation Last Resort” faction of Anonymous.
The government Web site, which was compromised and used to post the spreadsheet, The Alabama Criminal Justice Information Center, did not respond to requests for comment from the Washington Post.
The page—with URL filename “oops-we-did-it-again”—remained accessible into early Monday morning PST. A cached version of the page was still available as of Tuesday afternoon, as well as a copy of the raw text placed on Pastebin at the time of the attack.
A Federal Reserve spokesperson told Reuters exactly what it sent in the email to affected individuals, saying: “The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a Web site vendor product.”
Contact from the Federal Reserve to affected individuals was independently verified to ZDNet by a source, who spoke on terms of confidentiality.
ZDNet’s source provided a copy of Federal Reserve’s email to those on the list, revealing that affected institutions were notified about a breach and that their passwords to the affected system (a Web site with a contact database for banks to use during a natural or man-made disaster) would be changed.
Tuesday morning, those on the list, along with news media, received this information from The Federal Reserve Bank of St. Louis:
The Federal Reserve System has learned that user contact data from its Emergency Communications System (ECS), a system used by the Federal Reserve and state banking departments to notify depository institutions of operational status in the event of natural or other disasters“ was obtained and posted on the internet by an outside group that exploited a temporary vulnerability in a vendor website product. The vulnerability was remediated quickly after discovery, and the incident did not impact any critical operations of the Federal Reserve System.
We are bringing this information to your attention because you are a registrant for ECS. Information obtained from the registrants consisted of mailing address, business phone, mobile phone, business email, and fax. Some registrants also included optional information consisting of home phone and personal email. Despite claims to the contrary, passwords were not compromised, but nonetheless, have been reset as a precautionary measure.
The source told ZDNet, “The banks on the list were not compromised.”
GIS map of compromised banks made with Geocommons.
The St. Louis Fed Emergency Communications System services American state member banks and credit unions.
Its Web site reads:
Welcome to the Emergency Communications System (ECS), a free service that allows your financial institution to receive important communications from your regulatory agency during crises such as a natural or man-made disasters, or events that dramatically affect the financial markets.
Officials who are selected as your institution’s emergency contacts simply register by creating a user id and submitting relevant contact information. After registering, individuals can update their contact information at any time, allowing the contact information to remain current and accurate.
Please note that registrants are only contacted in the event of an emergency and during semi-annual tests. This information is not shared with anyone else other than your respective regulatory agency.
Following attacks on U.S. government Web sites last weekend, Anonymous claimed the new “Operation Last Resort” .gov Web site strike just as the Super Bowl football game ended.
The OpLastResort campaign demands “reform of computer crime laws” and investigation of “overzealous prosecutors” in response to the suicide of young hacker, anti-SOPA activist, and Reddit co-founder Aaron Swartz.
On January 25, Anonymous commandeered the U.S. Federal Sentencing Web site to distribute Operation Last Resort “warheads” (encrypted files that Anonymous suggested contain sensitive information).
The ussc.gov attack and defacement was followed by the government regaining the Web site only temporarily, until Anonymous reclaimed the government property with a mocking video game of Asteroids.
The U.S. Sentencing Commission Web site remains disabled and “under construction” as of this writing.
In official replies to constituents, the Federal Reserve stated no actual account information was compromised, and that this incident was not of significant importance.
Jon Waldman, a senior information security consultant whose firm specializes in serving small-to-medium sized financial institutions—such as those on the list—told ZDNet and explained his anger at The Fed’s downplaying of the incident, saying:
The Federal Reserve is simply incorrect by saying there’s not account details on the list. I’ve seen that list and it is absolutely rife with account details. Usernames and hashed passwords are included with salts. Anyone worth their weight in the technology field can decrypt a hashed password. The Fed did state that the passwords weren’t “compromised,” but that just means that they weren’t listed out in plain-text.
As an information security expert, it’s my official position that there was a blatant and irresponsible lack of tact and urgency in the response by the Federal Reserve to the individuals and institutions contained in this list. I’d go as far as to say they have irrevocably LIED to their constituents here. Granted, there’s no immediate threat of funds-transfer or additional data loss, but there’s certainly an imminent danger here to each and every one of those accounts that have been exposed.
This list is, in fact, still publicly available via a Chinese website, meaning all of this information is still out there for anyone with cyber-crime propensities to access and utilize.
Waldman’s outrage aside, he explained the risk to individuals on the list thusly:
Both the institutions and the individuals contained in this list WILL be specific targets of Social Engineering and hacking attacks. Not only was business information (phone numbers and emails) included in this list, but personal information (cell numbers and email addresses) as well. Additionally, the External IP address information (the IP address that identifies that host or institution on the Internet) for these institutions was contained in this list.
Thus, if you happen to be a precarious individual involved with some back-door dealings, including attempts to swindle individuals out of money or confidential information, and I presented you with a list of 4000+ phone numbers of financial institutions to call in an attempt to extract customer account information or internal bank information from tellers or employees, wouldn’t you be pretty interested?
How about a list of 4000+ banking executives to whom one could send a targeted phishing email? 4000+ bank executive personal cell phone numbers to call? What could one do with that? Calls or text messages? Or even better, a list of 4000+ External IP Addresses that one could hack or perform a denial of service attack against.
There are many unanswered questions, and larger questions loom. We will report updates as they happen.