Federal Reserve Confirms Security Breach, Calls Anonymous Hack Claim 'Overstated'
A Federal Reserve spokesperson confirmed a temporary security breach of its computers to The Huffington Post on Tuesday morning.
"Information was obtained by exploiting a temporary vulnerability in a website vendor product," the spokesperson told HuffPost in a phone interview, adding that the problem was "fixed after discovery and is no longer an issue."
According to the spokesperson, who asked not to be identified by name, the breach "did not affect critical operations."
The confirmation comes in the wake of a claim by hacker group Anonymous on Sunday that it had stolen sensitive information on 4,000 American bank executivesfrom Federal Reserve computers.
Although the security breach has now been confirmed, the spokesperson called Anonymous' claim "overstated," and would not comment on the nature of the data obtained other than to confirm that contact information was taken.
Earlier this week, ZDNet reported that "login information ... credentials, IP addresses, and contact information of American bank executives" were listed in a spreadsheet posted to a government site that Anonymous had hacked.
Even if the breach might not have been as serious as publicized by Anonymous, it is the first actual leak of information achieved by the group's Operation Last Resort. Launched in January, OpLastResort is the Anonymous response to the suicide of Internet activist Aaron Swartz. The group demands "reform of computer crime laws" and investigation of "overzealous prosecutors."
Federal Reserve computers have been hacked before. In 2010, a Malaysian man was arrested in a credit card scheme after managing to hack into and damage 10 computers associated with a Federal Reserve training system, Bloomberg News reported at the time. However, no data or information was accessed or compromised in that attack, a spokeswoman told Bloomberg.
In 2011, Federal Reserve developers discovered a cross-scripting bug in Adobe ColdFusion software, which is used by some Federal Reserve Bank websites. Such cross-site scripting allows an attacker to gain high-level access privileges to sensitive information by way of injecting malicious client-side scripts.
"Web developers working for the Federal Reserve Bank of Atlanta discovered thecross-site scripting vulnerability as part of an internal development project," ThreatPost, an Internet security blog, reported at the time.
In December 2011, Adobe released a patch for ColdFusion that fixed weaknesses it said could be exploited in "a cross-site scripting attack."
In an e-mail to HuffPost, Adobe senior communications manager Wiebke Lips wrote that the company could not comment on the specific breach confirmed Tuesday by the Federal Reserve. According to Lips, a patch released Jan. 15 by Adobe "addressed four vulnerabilities" that had been observed in active attacks against ColdFusion customers.
"These types of attacks are often referred to as 'zero-days' because a fix is not available at the time of the attack," Lips wrote. "As soon as these vulnerabilities were reported to Adobe, we immediately addressed them in the software and provided the fix."
According to an Adobe security bulletin, the recent patch for ColdFusion fixed loopholes that could have enabled a hacker to "circumvent authentication controls, potentially allowing the attacker to take control of the affected server ... could result in information disclosure from a compromised server."
Although it is unclear whether hackers used the recently patched vulnerabilities as a vector for attack, if a third party gained access to sensitive information through ColdFusion, it would follow that computers belonging to the Federal Reserve may have been compromised because their software was not up-to-date.
The Federal Reserve spokesperson would not elaborate on its security systems other than to say that measures against attacks were "absolutely" in place.