Thursday, February 7, 2013

Anonymous Hits Federal Reserve in Hack Attack

As officials in Washington continue to discuss and warn about cyber-attacks, members of Anonymous claimed to have breached a computer system that the Federal Reserve uses to communicate with bankers in emergencies such as natural disasters and potential acts of terrorism.
On Super Bowl Sunday, members of the group tweeted that they had compromised 4,000 bankers’ credentials from the Federal Reserve.
“Now we have your attention America: Anonymous’s [sic] Superbowl Commercial 4k banker d0x via the FED,” the group tweeted, using the @OpLastResort handle on Twitter.
“The Federal Reserve System is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,” A Federal Reserve spokesman said in a statement.
“The exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve System,” the spokesman said.
According to officials, the user data from the Emergency Communications System was compromised, but no financial or monetary policy information was on the system that was breached.
According to federal law enforcement officials, the FBI has opened an investigation into the incident. An FBI spokesperson declined to comment.
Recent activity from Anonymous and the reference to Operation Last Resort concern the death of Aaron Swartz, an Internet developer and activist who started the website  Reddit.  Swartz was indicted by the Justice Department in July 2011 on charges of wire fraud, computer fraud, unlawfully obtaining information from a protected computer and recklessly damaging a protected computer.
Swartz allegedly had downloaded vast information from JSTOR, an online library of academic and scholarly journals and articles that are available for a fee. Swartz believed the articles in JSTOR should be disseminated free of charge. Swartz committed suicide on Jan. 11, 2013 as he believed he was going to be facing a lengthy prison term – possibly as much as 35 years.
Last month, Anonymous hacked the website of the United States Sentencing Commission, also in response to Swartz’s death.
The case has garnered the attention of Congress, with members of the House Oversight and Government Reform Committee writing to Attorney General Eric Holder about how the Justice Department handled the case.
The Justice Department has agreed to brief the committee on the Swartz prosecution, but no date has been set on the briefing, according to a Justice official.

Anonymous Indonesia defaces Myanmar tourism site

Anonymous Indonesia has breached a Myanmar tourism site in retailiation against the government's treatment of the Rohingya people.
The hacktivist group announced late-Wednesday in a Twitter post it had defaced the tourism site,, which provides travel and location information, lodging and sights. A message left in the defacement said the site's data was safe and that the message was meant for the Myanmar government.
"We call on the government of Myanmar to stop the violence and the expulsion against Rohingya based on humanitarian," the message read.
The defacement also contained a link to a news report by The Nation on how the Myanmar government considered the Rohingya race as illegal immigrants and had refused to grant them citizenship rights.
In a Twitter reply to ZDNet Asia on Thursday, Anonymous Indonesia apologized for the defacement and explained it merely wanted to inform the Myanmar government not to expel and oppress the Rohingya race. "They are also part of the people of Myanmar who have long settled in Myanmar," the post read.
Visitors to on Wednesday evening were greeted with the following message from Anonymous Indonesia.
The Web site was restored when ZDNet Asia accessed it at 2pm Singapore time.
Anonymous Indonesia also launched a series of attacks on Indonesian government sites last week which affected, among others, the Law and Human Rights Ministry, the Social Affairs Ministry, the Business Competition Supervisory Commission,and the Central Statistics Agency, a separate report by The Jarkata Post noted.
The hacktivist group said these cyberattacks were in retailiation against the arrest of Wildan Yani Ashari, who had been accused of hacking President's Susilo Bambang Yudhoyono's personal Web site.

Wednesday, February 6, 2013

Anonymous Claims Wall Street Data Dump

The hacktivist collective Anonymous said that it's published a document dump that targets executives at financial services firms.

"Now we have your attention America: Anonymous's Superbowl Commercial 4k banker d0x via the FED," said a Sunday tweet from Operation Last Resort. A followup tweet from the same Twitter channel said, "Yes we posted over 4000 U.S. bank executive credentials."

Operation Last Resort is the name for an Anonymous campaign that seeks "reform of computer crime laws, and the overzealous prosecutors," and which was launched after Internet activist Aaron Swartz committed suicide. Although Swartz had long battled depression, numerous people have come forward to criticize the Department of Justice's handling of his case, including prosecutors' apparent strong-arm tactics.

The Sunday dox – a.k.a. data dump -- appears to contain about 4,600 records, including people's names, email addresses, institutions, IP addresses and login IDs, as well as their salted and hashed password, including the salt that was used. The records stretch to nearly 700 pages, and per the Anonymous tweet, appear to have been obtained from the Federal Reserve System.

The "bankd0x" -- as Anonymous has dubbed it -- initially was published on Pastebin, as well as to the Alabama Criminal Justice Information Center website in an HTML file titled "oops-we-did-it-again.html." After the Alabama state government removed the page, Anonymous reposted it on what appeared to be a Chinese government website.

Is the data legitimate? A small, random sample of the published information revealed names and email addresses that do appear to be real. Other people who investigated the data also suggested that it was legitimate. "OK, I called a few of them," said one Reddit user. "What must be so problematic for the Federal Reserve is not the information so much as this file was stolen from their computers at all. The ramifications of that kind of loss of control is severe."

The timing of the financial data dump appears to have been designed to call attention to a Jan. 28 letter sent to Attorney General Eric Holder by two key members of the House Oversight and Government Reform Committee. Signed by committee chairman Darrell Issa (R-Calif.) and ranking member Elijah Cummings (D-Md.), the letter demands answers to seven questions related to the Swartz case, as well as prosecutors' use in general of the Computer Fraud and Abuse Act (CFAA), and their practice of issuing superseding indictments. The legislators gave Holder a deadline of Monday to schedule a related briefing with them.

The bankd0x isn't the first attack launched by Anonymous as part of Operation Last Resort. Last week, the group hacked the website of the U.S. Sentencing Commission, which establishes sentencing policies and practices for the federal courts, to add a hidden Asteroids game. The group also distributed an encrypted file "warhead," for which it promised to later distribute the decryption keys, unless its CFAA reform demands were met.

At press time, the U.S. Sentencing Commission's website resolved to a single page that said the website "is currently under construction," and that listed a handful of links and contact phone numbers.

Also last month, Anonymous defaced a Massachusetts Institute of Technology website, denouncing the charges that had been filed against Swartz, demanding that the CFAA be reformed, and calling for more open access to information.

Tuesday, February 5, 2013

Federal Reserve Confirms Security Breach, Calls Anonymous Hack Claim 'Overstated'

A Federal Reserve spokesperson confirmed a temporary security breach of its computers to The Huffington Post on Tuesday morning.
"Information was obtained by exploiting a temporary vulnerability in a website vendor product," the spokesperson told HuffPost in a phone interview, adding that the problem was "fixed after discovery and is no longer an issue."
According to the spokesperson, who asked not to be identified by name, the breach "did not affect critical operations."
The confirmation comes in the wake of a claim by hacker group Anonymous on Sunday that it had stolen sensitive information on 4,000 American bank executivesfrom Federal Reserve computers.
Although the security breach has now been confirmed, the spokesperson called Anonymous' claim "overstated," and would not comment on the nature of the data obtained other than to confirm that contact information was taken.
Earlier this week, ZDNet reported that "login information ... credentials, IP addresses, and contact information of American bank executives" were listed in a spreadsheet posted to a government site that Anonymous had hacked.
Even if the breach might not have been as serious as publicized by Anonymous, it is the first actual leak of information achieved by the group's Operation Last Resort. Launched in January, OpLastResort is the Anonymous response to the suicide of Internet activist Aaron Swartz. The group demands "reform of computer crime laws" and investigation of "overzealous prosecutors."
Federal Reserve computers have been hacked before. In 2010, a Malaysian man was arrested in a credit card scheme after managing to hack into and damage 10 computers associated with a Federal Reserve training system, Bloomberg News reported at the time. However, no data or information was accessed or compromised in that attack, a spokeswoman told Bloomberg.
In 2011, Federal Reserve developers discovered a cross-scripting bug in Adobe ColdFusion software, which is used by some Federal Reserve Bank websites. Such cross-site scripting allows an attacker to gain high-level access privileges to sensitive information by way of injecting malicious client-side scripts.
"Web developers working for the Federal Reserve Bank of Atlanta discovered thecross-site scripting vulnerability as part of an internal development project," ThreatPost, an Internet security blog, reported at the time.
In December 2011, Adobe released a patch for ColdFusion that fixed weaknesses it said could be exploited in "a cross-site scripting attack."
In an e-mail to HuffPost, Adobe senior communications manager Wiebke Lips wrote that the company could not comment on the specific breach confirmed Tuesday by the Federal Reserve. According to Lips, a patch released Jan. 15 by Adobe "addressed four vulnerabilities" that had been observed in active attacks against ColdFusion customers.
"These types of attacks are often referred to as 'zero-days' because a fix is not available at the time of the attack," Lips wrote. "As soon as these vulnerabilities were reported to Adobe, we immediately addressed them in the software and provided the fix."
According to an Adobe security bulletin, the recent patch for ColdFusion fixed loopholes that could have enabled a hacker to "circumvent authentication controls, potentially allowing the attacker to take control of the affected server ... could result in information disclosure from a compromised server."
Although it is unclear whether hackers used the recently patched vulnerabilities as a vector for attack, if a third party gained access to sensitive information through ColdFusion, it would follow that computers belonging to the Federal Reserve may have been compromised because their software was not up-to-date.
The Federal Reserve spokesperson would not elaborate on its security systems other than to say that measures against attacks were "absolutely" in place.