Wysopal told CSO Online: "The problem extends beyond Federal Reserve-controlled systems. I spoke to the IT security personnel at one financial institution affected, and they were making sure the executive changed his password on all systems they controlled in case the password was reused there. It would also extend to any personal accounts the banking executive victims have."
Waldman agreed. "Both the institutions and the individuals contained in this list WILL be specific targets of Social Engineering and hacking attacks," he told ZDNet.
Mark Baldwin, principal researcher and consultant at InfosecStuff, said he hasn't seen anything to make him think OpLastResort is overstating their hack. "The impact of this breach is debatable, but the fact of the breach itself and the information disclosed seems pretty cut and dried," he said.
Wysopal also complained in his blog post that the Fed wouldn't identify either the vendor or the product that had been hacked. "I wish they would just come out and say exactly what the problem was so that other users of the 'website vendor product' could check to see if they are vulnerable and ask the vendor how to fix it," he wrote. "The attackers already know the vulnerability so it is likely many more sites are being exploited with the same vulnerability."
"Who exactly is the Fed protecting by not releasing this information?" Wysopal wrote.
Chester Wisniewski, a senior security adviser at Sophos, guessed that product in question was Adobe's Cold Fusion, which had flaws fixed only two weeks ago. "I am sure the change controls at the Fed don't allow that fast of a response after a patch," he said.
Wysopal told CSO Online he could understand the Fed not sharing details if this was not a common technology, but he said they could at least say it was a unique vulnerability to them. "Voluntary information sharing is hurt every time there is a breach and there is the perception by security professionals that if they knew what had happened they could secure their organizations better with that information, yet there is no sharing," he said.
Baldwin also said he was troubled at the Fed's lack of transparency. "It makes me wonder if this was more a case of a patch that should have been applied, but wasn't, or possibly an admin account with default credentials that were not changed," he said. "I suspect it was something pretty basic or else they would be more willing to share the details."
Wisniewski agreed. "We have to collaborate if we want to improve," he said. "They may not want to point the blame, but it could help others protect themselves if we knew the details. Hiding things never helps."
Sign up for MIS Asia eNewsletters.