Stolen Data Headers from the Federal Reserve Hack

Just another day at the office. Anonymous hacked into a Federal Reserve computer. Wait, what? Don’t worry, the attackers did not make off with any money, as far as we can tell, or disrupt any critical functions. What did they get? Just the details of 4000 bank executives. The data has been posted to pastebin and hosted on several compromised sites including other government sites. Someone even sent me a link to the data hosted on a gov.cn server! Here is an example of the column headers of the stolen data:

  • ADDRESS1
  • ADDRESS2
  • BUSCELL
  • BUSPH
  • CITY
  • CONFIRMED
  • CONFIRMED_COMMENTS
  • CONTACTID
  • DEACTIVATED
  • DELETED
  • DT_ADDED
  • DT_CONFIRMED
  • DT_DELETED
  • DT_LASTUPDATED
  • EMAIL
  • EMAIL_AUTO_CONFIRMED
  • FAX
  • FIRSTNAME
  • FORCE_PW_CHANGE
  • HOMEPH
  • ID_RSSD
  • INSTITUTION
  • IPADDRESS
  • LASTNAME
  • LOGINID
  • PERSEMAIL
  • PWSALT
  • PWSALTEDHASH
  • STATE
  • TITLE
  • ZIP

As you can see this is a spearphishing bonanza and even a password reuse bonanza for whoever can crack the password hashes. It doesn’t look like any of these are internal Federal Reserve System accounts as those would have FRS AD UIDs associated with each account. Still this is about the most valuable account dump by quality I have seen in a while.

The Federal Reserve has admitted the breach was real and describes the reason as “The Federal Reserve System is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product. The vulnerability was fixed shortly after discovery and is no longer an issue.” Edit: A few people have told me this is the website that was compromised: https://www.stlouisfed.org/bsr/ecs/index.cfm

The extension CFM tells us the application was programmed in cold fusion. The 6 top vulnerabilities in Cold Fusion from Veracodes SoSS are XSS, SQL Injection, Infoleak, Directory Traversal, CRLF injection, and OS Command Injection. All those vulnerabilities could be exploited to gain access to this type of data.

I wish they would just come out and say exactly what the problem was so that other users of the “website vendor product” could check to see if they are vulnerable and ask the vendor how to fix it. The attackers already know the vulnerability so it is likely many more sites are being exploited with the same vulnerability. Who exactly is the Fed protecting by not releasing this information? The security community needs your help.

So we are left to speculate on what could have gone wrong. Websites are often made up of a mix of commercial, open source and custom web application code. Any of the applications could be configured incorrectly which might give access to a file or a database that contained the compromised information. It is also very possible it was an application vulnerability such as SQL injection, directory traversal, or authorization bypass, that could have allowed the attackers to get at the data.

The testing and remediation for these problems is typically not difficult so it is surprising that an organization like the Federal Reserve would have this type of vulnerability on a web site containing sensitive information. I can only surmise that the Fed does not have a supply chain security testing program to help handle its S.O.U.P. With a supply chain security testing program, any commercial, open source, or otherwise 3rd party software would need to have security testing performed on it and vulnerabilities remediated before being deployed on a server.

I hope that we can find out further details of the breach so we can all protect ourselves in the short term if we have the same vulnerability and that we can learn how this could have been prevented with better IT security processes and supply chain security testing.

A final thought. What do you think the cost of this breach is? The Ponemon survey data shows that the average cost per financial services record breached is $247. Using that calculation the breach cost $247 x 4607 = $1,137,929. I would argue a breach of this type will cost much, much more. That is because thousands of organizations are currently resetting executives passwords on all the systems where there may have been password reuse and are following their incident response protocols.

Anti DDoS | February 7, 2013 11:43 am

Anonymous is having a busy year. I agree, the cost of this breach is way more than 1 million. It was a SQL dump, most likely a SQL injection from my point of view.

k0nsl | February 7, 2013 1:00 pm

I’m happy Anonymous have so much success.

Billy Cravens | February 7, 2013 1:41 pm

Keep in mind that there are multiple engines for .cfm pages (Adobe ColdFusion as well as the open source Railo and Open BlueDragon, as well as lesser used solution like New Atlanta BlueDragon). As such the list of vulnerabilities would vary, as the implementations vary. (ColdFusion developer since 1999)

parabellum711 | February 7, 2013 6:11 pm

How much does it cost? In what currency? Federal Reserve notes? That’s not real money. Maybe Anonymous will take down the Federal Reserve and other central banks and actually restore the possibility of prosperity to the world. As it is, we’re all overdosing on the Fed’s fiat.

Joe Hepperle | February 9, 2013 9:02 am

Oh JFC! Don’t we ever learn? The hackers known as ‘Anonymous’ are fronted and run by FBI snitches. Any computers that are hacked were pre-approved to be hacked by the FBI handlers. This is done with inside-data supplied by the FBI (the FBI just hands-over the passwords to their snitch hacker). That’s why one of the recent major (fake) hacks was a (supposed) hack of Police Department private files nationwide. That was information and websites that the FBI already had access to. How soon do we forget the FBI snitch known as ‘Sabu’ who was the putative LEADER of Anonymous’? How soon do we forget the FBI snitch Higinio Ochoa, the putative LEADER of Anonymous sub-group known as ‘CabinCr3w’. The list goes on and on. Anonymous is the FBI.

Joe Hepperle | February 9, 2013 9:12 am

Oh, and how much does it cost? If the people who physically change the passwords are already on Staff, then the cost is ZERO. Any factory manager will tell you that the cost is ZERO if you (the one doing the work) are already on the payroll. Anybody who does their calculations like an immature Kindergartener ought to be have their picture put on an ‘Idiot of the Week’ website. The calculation is NOT, ‘Well, it takes me 10 minutes to change my password, and an hour for the IT department to tell me what it is about, and at $60 dollars an hour that is $70 bucks for me, and $70 buck for IT for a total of $140 bucks!’. WRONG. If the person at the computer, and the IT Staff person are already on the payroll, the cost is ZERO.

Chris Wysopal | February 11, 2013 1:58 pm

Hi Joe,

I suggest reading the Ponemon survey I cite on data breach costs. This is a thoroughly researched survey with real world incident data and will help you understand how the costs of recovery are computed.

-Chris

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post