Fed still gauging extent of hacker breach, FBI on case

Fri Feb 8, 2013 12:54am EST

A view shows the Federal Reserve building on the day it is scheduled to release minutes of the Federal Open Market Committee from August 1, 2012, in Washington August 22, 2012. REUTERS/Larry Downing

A view shows the Federal Reserve building on the day it is scheduled to release minutes of the Federal Open Market Committee from August 1, 2012, in Washington August 22, 2012.

Credit: Reuters/Larry Downing

Related Topics

Feb 7 (Reuters) - The U.S. Federal Reserve said on Thursday it was still working to determine the extent its computer systems had been breached by hackers, adding that the incident was the subject of a criminal probe by the Federal Bureau of Investigation.

"We are in the process of a comprehensive assessment to determine what information might have been obtained in this incident," said Federal Reserve spokesman Jim Strader. "We remain confident that this incident did not affect critical operations of the Federal Reserve."

The online intrusion, which has embarrassed the U.S. central bank and raised questions about the effectiveness of its security, was publicized on Sunday by activist group Anonymous.

The integrity of the Fed's systems is vital to ensure confidence in its ability to securely transmit highly confidential information, including communications about U.S. monetary policy and the banks that it supervises.

The Fed statement on Thursday was its first explicit acknowledgment that it did not yet know the extent of the security breach. Cyber-security specialists say it takes time to thoroughly investigate a stealthy intrusion by skilled hackers.

Anonymous claimed that it had published personal information from more than 4,000 U.S. bank executives gleaned from a password-protected Fed website.

The website, called the Emergency Communication System (ECS), exists to provide bank contact information in the event of a natural or other disaster. It is managed by the St. Louis Federal Reserve Bank.

A message sent by the Fed to ECS users and obtained by Reuters on Tuesday warned that personal information, including mobile and business telephone numbers, email and business addresses, had been obtained by the online intruders.

Strader said it was possible that more information might still be released by the hackers, but declined to spell out if data from a site other than the ECS had been obtained.

"This incident is the subject of an active criminal investigation with the FBI and we cannot comment further," he said.

The Fed also declined to comment on when the attack took place, how long it took for the breach to be discovered and what type of system or vulnerability was exploited.

A review by Reuters of the code on the ECS site home page shows it runs on ColdFusion, a program used to build websites that software maker Adobe Systems Inc patched in mid-January to repair several critical security flaws.

The company said hackers could take advantage of those bugs to break into computer systems, access restricted files and take control of affected servers. ((here))

WARNINGS OF WEAKNESS

The Fed's inspector general recommended in a 2012 audit published in November that the central bank implement a security review process for third party systems located outside its system. The Fed was not immediately able to clarify if the ECS website breached by Anonymous fell in this category.

The information published by Anonymous so far has not ruffled feathers among the bankers affected.

"It hasn’t been much of a hassle," said Jo David Cummins, president and CEO of Community First Bank of the Heartland in Illinois. "The information that was on the contact system was the same thing that was on my business card, so it wasn’t like it was anything that could do any harm to me or the bank."

The hacking claim was made via Twitter over an account registered to OpLastResort, which is linked to Anonymous, a loosely organized group of hacker activists who have claimed responsibility for scores of attacks on government and corporate sites over the past several years.

OpLastResort is a campaign that some hackers associated with Anonymous have started to protest against the government's prosecution of computer prodigy Aaron Swartz, who committed suicide on Jan. 11.

Swartz was charged with using the Massachusetts Institute of Technology's computer networks to steal more than 4 million articles from JSTOR, an online archive and journal distribution service. He faced a maximum sentence of 31 years if convicted.

Cyber-security specialists said they assumed the Fed is under constant attack from hackers, including by state-sponsored online snoopers, and that most strikes go unreported.

In a rare admission, the Cleveland Fed confirmed in 2010 that it had been attacked online. Cleveland Fed spokeswoman June Gates said a test computer was compromised, but the hacker failed to access any Fed information. The incident came to light when the crime was prosecuted in a New York court in November 2010.

(Reporting by Alister Bull in Washington, Jim Finkle in Boston and Rick Rothacker in Charlotte, N.C.; Editing by Phil Berlowitz, Tim Ahmann and Andre Grenon)

((alister.bull@thomsonreuters.com)(+1-202-898-8329)(Reuters Messaging: alister.bull.thomsonreuters.com@reuters.net))

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (3)
Harry079 wrote:
“We remain confident that this incident did not affect critical operations of the Federal Reserve.”

Somehow that doesn’t sound so reassuring.

But hey it’s the Fed the only entity that can create money out of thin air.

Feb 07, 2013 10:01pm EST  --  Report as abuse
ICthruU wrote:
It is quite troubling that evidently cyberwarfare is taking place on such an extensive and unmitigated scope. Although the self-proclaimed group claims to be engaging in “hacktivism” for political protest, sometimes associated with a recent incident, the reality is that this group is now behaving with unrestrained abuse, intimidation, denial of rights, and violation of privacy of anyone on the radar. They are data mining online comments and targeting them in the cyberworld with hacking and organized-crime-like intrusions into their freedoms.

These people are anarchists who are cyber rioting. Regardless of the false flag they raise for their cause, they have shown that they will
overtake even the US government’s computers. They are also interfering with the free speech of people on public media sites by interfering with posting of public comments.

As retaliation for my civil criticism of some of their tactics, I was hacked and my freedom to post on Twitter, Reuters, and other sites
is obstructed 90% of the time. Today, I received an email from a stranger with my photo hacked from private records.

Please recognize that this is the tip of an iceberg which would
put a deep gash on the US flagship “Titanic” if this country is not
wise and responsive. Our nation runs on computers and they are NOT
merely targeting government for political purposes.

Feb 08, 2013 1:51am EST  --  Report as abuse
Animated wrote:
“We are in the process of a comprehensive assessment to determine what information might have been obtained in this incident,” said Federal Reserve spokesman Jim Strader. “We remain confident that this incident did not affect critical operations of the Federal Reserve.”

This is a complete contradiction…how can you still be assessing what information was obtained…BUT be confident that critical operations were not affected????? If you dont know the full extent of the hack…how can you be confident about anything?

Feb 08, 2013 6:28am EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.