The U.S. banking and energy agencies confirmed that
hackers, in separate incidents, breached their systems and made off with
hundreds of accounts.
Two federal agencies acknowledged this week that
hackers had breached their systems and stole the personal and account
information of workers.
On Feb. 3, a group claiming to be affiliated with
Anonymous stated on Pastebin that they had compromised a server at the
Federal Reserve, which oversees the banking system in the United States
and grabbed personal details of 4,000 banking executives. On Wednesday,
the financial agency confirmed that hackers had exploited a flaw and
stolen information.
"The Federal Reserve System is aware that information
was obtained by exploiting a temporary vulnerability in a Website vendor
product. The vulnerability was fixed shortly after discovery and is no
longer an issue," a Federal Reserve spokesperson stated in an e-mail sent to several news agencies. "This incident did not affect critical operations of the Federal Reserve System."
Such an information leak, known as doxing, is a popular way among hacktivists to embarrass a target.
On Feb. 2, the Department of Energy notified employees
that a similar attack had resulted in the leak of hundreds of employees'
and contractors' personally identifiable information (PII) in January.
The incident, first reported by the Washington Free Beacon,
is currently being investigated by the FBI and follows last week's
reports that a number of high-profile media firms—such as The New York
Times, The Wall Street Journal and the Washington Post—had been targeted
by cyber espionage campaigns linked to China.
While the damage from the attacks appears to be minor,
the fact that two government agencies responsible for critical
components of the U.S. economy have been breached is significant, said
Rocky DeStefano, CEO of security consultancy VisibleRisk.
"Losing records or being 'doxed' is annoying and
potentially dangerous, no question. But what would keep me up at night
is the 'what else?'," DeStefano said in an e-mail interview. "If
the aggressors in each situation are willing to release this information
so easily, what else do they maintain access to that we don't yet know
about? To me that is the real question in all of this."
The lack of information about the attacks from each
agency is a cause for concern among security professionals. The Federal
Reserve breach, for example, could lead back to vulnerabilities in
ColdFusion, the software framework used to build the agency's Website,
Chris Wysopal, chief technology officer for application-security firm
Veracode, said in a blog post. Yet, without more information from the Federal Reserve, other companies using the software will be left vulnerable.
"I wish they would just come out and say exactly what
the problem was so that other users of the 'Website vendor product'
could check to see if they are vulnerable and ask the vendor how to fix
it," Wysopal stated.
While some security experts questioned whether Anonymous had overstated the number of bank executives affected by the leak, identity-protection service PwnedList confirmed that 4,608 individuals were impacted by the breach. Of particular concern is that many executives had both a personal and addresses listed, which could lead to convincing spear phishing attacks, Steve Thomas, co-founder of PwnedList, said in an e-mail interview.
"From our analysis, any bank, large or small, should be
concerned about the information that was leaked in this data breach,"
Thomas said. "We have already worked with several banks to help identify
and secure vulnerable executives."
http://www.eweek.com/security/federal-reserve-doe-confirm-hackers-breached-servers-stole-data/
http://www.eweek.com/security/federal-reserve-doe-confirm-hackers-breached-servers-stole-data/
