U.S. government officials, from President Obama to the ranks of Congress, regularly claim they want voluntary, substantive sharing between the public and private sectors on cyberattacks, vulnerabilities and breaches. Given that, the Federal Reserve is not on message following a Super Bowl Sunday hack.
The Fed acknowledged this week only what it had to -- that one of its websites had been breached on Super Bowl Sunday by a group calling itself OpLastResort, which is tied to the hacktivist collective Anonymous.
But the Fed's claim that only contact information of more than 4,000 bank executives had been compromised, along with refusing to provide details on other crucial information, drew both scorn and anger from the security community.
In statements issued to various media outlets, the agency downplayed the seriousness of the event. Reuters quoted a spokeswoman as saying the Fed was aware that information was obtained by exploiting a temporary vulnerability in a website vendor product. "Exposure was fixed shortly after discovery and is no longer an issue," she said. "This incident did not affect critical operations of the Federal Reserve system." All the people affected by the breach had been notified, she added.
But the agency wasn't saying much else. It wouldn't identify what website had been hacked. Eventually, several publications including ZDNet said the exposed database belongs to The St. Louis Fed Emergency Communications System (ECS), which is the emergency communications system for 17 states, with an estimated 40% of America's state-chartered banks as its users.
It wouldn't identify the "website vendor product." And it said claims by the hackers that they had obtained login credentials, including hashed passwords and IP addresses were "overstated." The Fed did say the passwords had been reset as a precautionary measure.
But Chris Wysopal, cofounder and CTO of Veracode, counters that the Fed was understating the case. Writing on the Veracode blog, Wysopal listed the information headers in the data dump that included names, addresses, phone numbers, emails, IP addresses, login IDs and salted/hashed passwords.
"[This] is a spear phishing bonanza and even a password reuse bonanza for whoever can crack the password hashes," he wrote. "This is about the most valuable account dump by quality I have seen in a while."
ZDNet quoted Jon Waldman, a senior information security consultant at Secure Banking Solutions, saying the Fed is "simply incorrect by saying there's not account details on the list."
"I've seen that list and it is absolutely rife with account details," Waldman told ZDNet. "Usernames and hashed passwords are included with salts. Anyone worth their weight in the technology field can decrypt a hashed password."
Waldman accused the Fed of "a blatant and irresponsible lack of tact and urgency in the response ... I'd go as far as to say they have irrevocably LIED to their constituents here."
Sign up for MIS Asia eNewsletters.