Fed stays secretive after Anonymous hack

Security experts ask if government won't share information, why should the private sector?

U.S. government officials, from President Obama to the ranks of Congress, regularly claim they want voluntary, substantive sharing between the public and private sectors on cyberattacks, vulnerabilities and breaches. Given that, the Federal Reserve is not on message following a Super Bowl Sunday hack

The Fed acknowledged this week only what it had to -- that one of its websites had been breached on Super Bowl Sunday by a group calling itself OpLastResort, which is tied to the hacktivist collective Anonymous.

But the Fed's claim that only contact information of more than 4,000 bank executives had been compromised, along with refusing to provide details on other crucial information, drew both scorn and anger from the security community.

In statements issued to various media outlets, the agency downplayed the seriousness of the event. Reuters quoted a spokeswoman as saying the Fed was aware that information was obtained by exploiting a temporary vulnerability in a website vendor product. "Exposure was fixed shortly after discovery and is no longer an issue," she said. "This incident did not affect critical operations of the Federal Reserve system." All the people affected by the breach had been notified, she added.

But the agency wasn't saying much else. It wouldn't identify what website had been hacked. Eventually, several publications including ZDNet said the exposed database belongs to The St. Louis Fed Emergency Communications System (ECS), which is the emergency communications system for 17 states, with an estimated 40% of America's state-chartered banks as its users.

[Also see: Obama weighs executive order on cybersecurity]

It wouldn't identify the "website vendor product." And it said claims by the hackers that they had obtained login credentials, including hashed passwords and IP addresses were "overstated." The Fed did say the passwords had been reset as a precautionary measure.

But Chris Wysopal, cofounder and CTO of Veracode, counters that the Fed was understating the case. Writing on the Veracode blog, Wysopal listed the information headers in the data dump that included names, addresses, phone numbers, emails, IP addresses, login IDs and salted/hashed passwords.

"[This] is a spear phishing bonanza and even a password reuse bonanza for whoever can crack the password hashes," he wrote. "This is about the most valuable account dump by quality I have seen in a while."

ZDNet quoted Jon Waldman, a senior information security consultant at Secure Banking Solutions, saying the Fed is "simply incorrect by saying there's not account details on the list."

"I've seen that list and it is absolutely rife with account details," Waldman told ZDNet. "Usernames and hashed passwords are included with salts. Anyone worth their weight in the technology field can decrypt a hashed password."

Waldman accused the Fed of "a blatant and irresponsible lack of tact and urgency in the response ... I'd go as far as to say they have irrevocably LIED to their constituents here."

Wysopal told CSO Online: "The problem extends beyond Federal Reserve-controlled systems. I spoke to the IT security personnel at one financial institution affected, and they were making sure the executive changed his password on all systems they controlled in case the password was reused there. It would also extend to any personal accounts the banking executive victims have."

Waldman agreed. "Both the institutions and the individuals contained in this list WILL be specific targets of Social Engineering and hacking attacks," he told ZDNet.

Mark Baldwin, principal researcher and consultant at InfosecStuff, said he hasn't seen anything to make him think OpLastResort is overstating their hack. "The impact of this breach is debatable, but the fact of the breach itself and the information disclosed seems pretty cut and dried," he said.

Wysopal also complained in his blog post that the Fed wouldn't identify either the vendor or the product that had been hacked. "I wish they would just come out and say exactly what the problem was so that other users of the 'website vendor product' could check to see if they are vulnerable and ask the vendor how to fix it," he wrote. "The attackers already know the vulnerability so it is likely many more sites are being exploited with the same vulnerability."

"Who exactly is the Fed protecting by not releasing this information?" Wysopal wrote.

Chester Wisniewski, a senior security adviser at Sophos, guessed that product in question was Adobe's Cold Fusion, which had flaws fixed only two weeks ago. "I am sure the change controls at the Fed don't allow that fast of a response after a patch," he said.

Wysopal told CSO Online he could understand the Fed not sharing details if this was not a common technology, but he said they could at least say it was a unique vulnerability to them. "Voluntary information sharing is hurt every time there is a breach and there is the perception by security professionals that if they knew what had happened they could secure their organizations better with that information, yet there is no sharing," he said.

Baldwin also said he was troubled at the Fed's lack of transparency. "It makes me wonder if this was more a case of a patch that should have been applied, but wasn't, or possibly an admin account with default credentials that were not changed," he said. "I suspect it was something pretty basic or else they would be more willing to share the details."

Wisniewski agreed. "We have to collaborate if we want to improve," he said. "They may not want to point the blame, but it could help others protect themselves if we knew the details. Hiding things never helps."

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)