Anonymous apparently exploited a weak spot in a system connected to the Fed in retaliation against the U.S. government's prosecution of Internet activist Jason Swartz, who committed suicide while facing hacking charges. The incident raised awareness not only of the group's cause, but also of the unaccountable vulnerability of sensitive government systems to common attack vectors.
The hactivist collective Anonymous announced via a tweet during last Sunday's Super Bowl that it had published a document dump including publishing private data tied to more than 4,000 U.S. bank executives.
It included a spreadsheet containing login information and credentials, along with IP addresses and personal contact information pulled from a St. Louis Fed Emergency Communications System database, ZDnet reported.
The website used for the data dump belongs to the Alabama Criminal Justice Information Center (ACJIC). The page extension URL was ominously titled, "oops-we-did-it-again."
Anonymous' Last Resort
The attack was mounted in connection with Anonymous' Operation Last Resort, a campaign that calls for "reform of computer crime laws, and the overzealous prosecutors." It was launched after Internet activist Aaron Swartz, who was facing a 35-year jail sentence after being arrested on hacking charges, committed suicide. Swartz helped to establish the social media blog Reddit and cocreated the RSS 1.0 specification.
The relevance of the latest hack attack to Swartz is unclear, however.
"What is the point here?" asked Charles King, principal analyst at Pund-IT. "From the reports around Swartz's suicide, it seems that the federal prosecutor was pushing the case even as the state prosecutor decided to drop the case -- but there is no direct link, unless Anonymous is trying to target the entire federal government."
Attack VectorMotivation aside, questions remain as to how the hack was accomplished and whether any sensitive data has been compromised. Apparently, the operation was not particularly complicated.
"It looks like this was an SQL injection," said Ken Baylor, Ph.D., research vice president at NSS Labs.
SQL injection attacks have long been known as one of the top Web application vulnerabilities. How was it that such a sensitive financial website could succumb to this type of attack?
"Evidently the intrusion was made into a private website that contains emergency contacts, and the purpose of this site is to provide a clearinghouse in case of a disaster that could disrupt the banking community," Pund-IT's King told TechNewsWorld.
"It is not really clear how it happened, as you'd assume this site would be firewalled to some point," he added.
"The intrusion likely happened in the hosting software," King speculated. "Between the public Web and private database of the private banker information, there was a flaw that allowed this intrusion to happen. There are other sites that use this type of software, so hopefully the maker/developer will go in to fix the flaw."
Sensitive DataWhether the data that was compromised is actually something that could be useful to cybercriminals is a matter of debate at this point.
"There were some emails and personal information, but the Fed says it has gotten in touch with all the people on the list and told them to change their passwords," said King. "It is probably best classified as a simple nuisance or embarrassment."
Rumbles in the security community suggest the Fed may be downplaying the breach and that the information could, at the very least, be valuable for future social engineering exploits.
Still, this "isn't going to compel anyone to change any laws," NSS Labs' Baylor told TechNewsWorld. "There was nothing truly critical in the data. This is getting news, but this is not one of those high-profile attacks."
KeyWords-: 3D 3D printing 3DS 4 4G 5 50 best apps AActa Activate conference Activision Blizzard Michael Acton Smith Adobe Keri Allan Alternate reality games Amazon.com Android Angry Birds Anonymous AOL Apple Apps Apps Pitch Apps rush Arcade and platform Arpanet Artificial intelligence (AI) Assassin's Creed Audioboo Augmented reality Gaming awards B Steve Ballmer Carol Bartz Battlefield Bebo Tim Berners-Lee Best Android apps Best games for Christmas 2012 Best iPhone and iPad apps Jeff Bezos Big data Bing Biometrics BitTorrent BlackBerry Blogging Blu-ray Britain's broadband vision Broadband C Call of Duty Rio Caraeff Paul Carr Casual gaming CES 2011 CES 2012 CES 2013 Charlie's Angles Chatroulette Chatterbox Chrome Cispa Clay Shirky Clay Shirky at Guardian Open Weekend Cloud computing Games competitions Computing CES Consumer Electronics Show 2008: Video Controversy Tim Cook Cookies and web tracking Craigslist Crowdsourcing Cybercrime D Daily deals Data and computer security Data protection Dell Digg Digital Britain Digital Economy Act Digital music and audio Digital rights management Digital video Dork talk Kim Dotcom DS James Dyson Dyson Ltd E E-commerce e-Government E3 E3 2011 E3 2012 eBay Daniel Ek Elevator Pitch Email Energy Engineering E-readers Events F Facebook Filesharing Final Fantasy Firefox Flickr Foursquare Free our data Friday philosophy Friends Reunited Future of Web Apps G Gadget clinic Gadgets Game culture GameCamp Games Games trailer park Gamesblog Live Bill Gates Gmail Google Google doodle Google Street View Google Wave Google-Oracle patent trial Gowalla GPS Grand Theft Auto Green Dam Groupon Guardian Hacks SXSW Guardian Technology in Ireland H Hacking Halo Handheld Dan Houser Sam Houser HTC HTML5 I IBM IFA 2010 IFA 2011 Indie games Instagram Intel Interactive City 2000 Internet Internet Explorer Internet picks of the week Technology startups iPad iPadmini iPhone iPhone 5 iPod ISPs iTunes Jonathan Ive J Jack Dorsey Steve Jobs K Kickstarter Herb Kim Kindle Kindle Fire Kinect Kwon Oh-hyun L Jaron Lanier LimeWire LinkedIn Linux Living in the future Location based services LulzSec Lunatic Tendencies M machinima Macworld Malware Mapping technologies Mario Mario Kart Marissa Mayer Kevin Marks Mashed 2008 Megaupload Microsoft Microsoft Surface Mixed-reality games MMORPG Mobile Mobile phones Mobile World Congress Mobile World Congress live Modern Warfare Motoring Mozilla Music games Elon Musk Must haves Myspace N Need For Speed Net neutrality Netbooks Newly asked questions Next gen games Nintendo Nokia Not safe for work O Observer Christmas technology special Motoring: On the road One Laptop Per Child Open source Oracle Out of this world Ouya P P2P PayPal PC Photography Mark Pincus Pinterest Piracy Pirate Bay Playback PlayBook PlayStation Pokémon Politics and technology Press start Programming PS Vita PS3 PSP Puzzle games Q Quiz and trivia games R Racing games Raspberry Pi Rayman Recommendation sites Reddit Research and development Retro games RIM (Research in Motion) Robots Role playing games Andy Rubin Rumoursville S Safari Samsung Sheryl Sandberg Eric Schmidt Search engines Second Life SEO Sex in games Shoot 'em ups Simulation games Clive Sinclair Steven Sinofsky Skype Smartphone patent wars Smartphones Social innovation camp Software Songkick Sonic the Hedgehog Sony Sopa Spam Sports games Spotify Biz Stone Strategy games Sun Microsystems Super Mario SXSWi Symbian T Tablet computers Talk time Tech City Talks Technobile Technology Technophile TED