Anonymous' Hack of Bank System Startling for Its Ease
Anonymous apparently exploited a weak spot in a system connected to the Fed in retaliation against the U.S. government's prosecution of Internet activist Jason Swartz, who committed suicide while facing hacking charges. The incident raised awareness not only of the group's cause, but also of the unaccountable vulnerability of sensitive government systems to common attack vectors.
The hactivist collective Anonymous announced via a tweet during last Sunday's Super Bowl that it had published a document dump including publishing private data tied to more than 4,000 U.S. bank executives.
It included a spreadsheet containing login information and credentials, along with IP addresses and personal contact information pulled from a St. Louis Fed Emergency Communications System database, ZDnet reported.
The website used for the data dump belongs to the Alabama Criminal Justice Information Center (ACJIC). The page extension URL was ominously titled, "oops-we-did-it-again."
Anonymous' Last Resort
The attack was mounted in connection with Anonymous' Operation Last Resort, a campaign that calls for "reform of computer crime laws, and the overzealous prosecutors." It was launched after Internet activist Aaron Swartz, who was facing a 35-year jail sentence after being arrested on hacking charges, committed suicide. Swartz helped to establish the social media blog Reddit and cocreated the RSS 1.0 specification.
The relevance of the latest hack attack to Swartz is unclear, however.
"What is the point here?" asked Charles King, principal analyst at Pund-IT. "From the reports around Swartz's suicide, it seems that the federal prosecutor was pushing the case even as the state prosecutor decided to drop the case -- but there is no direct link, unless Anonymous is trying to target the entire federal government."
Motivation aside, questions remain as to how the hack was accomplished and whether any sensitive data has been compromised. Apparently, the operation was not particularly complicated.
"It looks like this was an SQL injection," said Ken Baylor, Ph.D., research vice president at NSS Labs.
SQL injection attacks have long been known as one of the top Web application vulnerabilities. How was it that such a sensitive financial website could succumb to this type of attack?
"Evidently the intrusion was made into a private website that contains emergency contacts, and the purpose of this site is to provide a clearinghouse in case of a disaster that could disrupt the banking community," Pund-IT's King told TechNewsWorld.
"It is not really clear how it happened, as you'd assume this site would be firewalled to some point," he added.
"The intrusion likely happened in the hosting software," King speculated. "Between the public Web and private database of the private banker information, there was a flaw that allowed this intrusion to happen. There are other sites that use this type of software, so hopefully the maker/developer will go in to fix the flaw."
Whether the data that was compromised is actually something that could be useful to cybercriminals is a matter of debate at this point.
"There were some emails and personal information, but the Fed says it has gotten in touch with all the people on the list and told them to change their passwords," said King. "It is probably best classified as a simple nuisance or embarrassment."
Rumbles in the security community suggest the Fed may be downplaying the breach and that the information could, at the very least, be valuable for future social engineering exploits.
Still, this "isn't going to compel anyone to change any laws," NSS Labs' Baylor told TechNewsWorld. "There was nothing truly critical in the data. This is getting news, but this is not one of those high-profile attacks."