backtop


Print 40 comment(s) - last by Ammohunt.. on Feb 11 at 11:24 AM

Bankers affected say it's no big deal

Jo David Cummins, president and CEO of Community First Bank of the Heartland in Illinois, laughs off Anonymous' mid-January "hack" of a U.S. Federal Reserve database, which scooped up his record and over 4,000 others.  He tells Reuters, "It hasn't been much of a hassle.  The information that was on the contact system was the same thing that was on my business card, so it wasn’t like it was anything that could do any harm to me or the bank."

I. Adobe Flaw Likely Exploited by Hackers.

But while it may not be a big deal for most of the affected, the U.S. Federal Bureau of Investigation and the Federal Reserve are taking the incident very seriously.  Comments Federal Reserve spokesman Jim Strader, "We are in the process of a comprehensive assessment to determine what information might have been obtained in this incident.  We remain confident that this incident did not affect critical operations of the Federal Reserve."

The site that the information leaked from was dubbed Emergency Communication System (ECS).  While protected by passwords and encryption, Anonymous was able to circumvent those barriers.  

It's possible that the attackers used an SQL injection (aka "Little Bobby Tables") style attack.  Such attacks can be prevented if the requests were sanitized.

However, it's also possible that the hackers exploited well-known security flaws in Adobe Systems, Inc.'s (ADBE) Cold Fusion suite, which the site was built upon.  In mid-January -- right about the time of the attack -- Adobe patched several critical security flaws that could allow malicious users access to restricted files and even allow them to takeover servers. 
 

Adobe Cold Fusion
An Adobe flaw may have been responsible for the Fed hack. [Image Source: Adobe]

In the press release for the patch, Adobe stated:

This hotfix addresses vulnerabilities that could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server...  Adobe is aware of reports that four vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632, referenced in Security Advisory APSA13-01) are being exploited in the wild against ColdFusion customers.

A 2012 audit at the Fed suggested that a monitoring system be put in place to review security at third-party systems.  It's possible the ECS system may fall under that category.

The Federal Reserve System is the backbone of the American banking industry, established before the Great Depression.  The oft-criticized institution is a strange mix of private and public parts.

On the public side, regional Fed banks are largely owned by nationally chartered commercial banks, which are required to be shareholders in their local branch.  On the other hand, the federal government selects and controls the salary of many of the system's top officials; indeed the President himself personally appoints Fed's Board of Governors.

II. Hackers Still Flaming Mad About Swartz's Death

Many members of the quasi-leaderless hacktivist group Anonymous have been vocal opponents of the Fed and the U.S. commercial banking industry in general, which they label as corrupt and exploitive.

The recent attack is part of the group's dramatically titled "OpLastResort".  The operation is a manifestation of the explosion of anger over the death of online activist Aaron Swartz.  Mr. Swartz, who designed the RSS, reportedly tragically committed suicide last month after fighting a long battle with depression and government harassment.

Federal prosecutors had investigated Mr. Swartz after he dumped 4 million papers from the JSTOR network.  JSTOR hosts peer-reviewed journal papers, most of which cost money to access.  Critics of Mr. Swartz's actions argue that journal fees help sustain the costly march of research in fields such as physics, biology, and genetics.  But his supporters argue that academic research should be free to all, not pent up in some ivory cage.


Aaron Swartz

Even some of his critics, though, balked at how the feds allegedly harassed him for the breach.  A pair of petitions to fire the prosecutors involved with the criminal case -- Assistant U.S. Attorney Steve Heymann and his boss U.S. District Attorney Carmen Ortiz -- has been attracting substantial attention.  The petition to remove DA Ortiz has already received 25,000 signatures, meaning that President Barack Obama must respond to it.

III. Sabu to be Sentenced

In a related reminder, former LulzSec mastermind Hector Xavier Monsegur (handles: "Sabu", "Xavier DeLeon", and "Leon") is set to be sentenced on Feb. 22.  Mr. Monsegur had founded the sub-unit of Anonymous and in 2011 led it in hacking Sony Corp. (TYO:6758) several times and also breaching government sites.

Sabu 1
Hacker "messiah" Hector Monsegur, a former member of Anonymous's upper echelon is set to be sentenced later this month.  His sentence will likely be greatly reduced for his role in "snitching" on his fellow hackers.  [Image Source: Fox News]

Unbeknownst to his cohorts, Mr. Monsegur was located by the FBI and offered a plea deal.  The hacker accepted, and for the next few months continued to lead attacks, while allegedly serving as a double agent, feeding feds information that helped them track down other top members such as Topiary, a 19-year-old who was arrested in the UK's Shetland Islands.

The hacker was given a sentencing reprieve due to concerns about his safety and his ongoing cooperation with federal investigations.  He has plead guilty to 12 federal computer crimes, which carry a maximum theoretical sentence of 124-years.  It is likely that his sentences will at a bare minimum be reduced to being served consecutively (which greatly slashes his prison time -- for example Bank Fraud, one of his charged offenses, carries a maximum 30 year sentence).

Source: Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: These sentences are ridiculous
By Ammohunt on 2/8/2013 1:02:44 PM , Rating: 1
So if someone caused a "few million in damage" to your interests(assuming you had that much) you would be ok with that and not want that person to be punished?


RE: These sentences are ridiculous
By adrift02 on 2/8/2013 1:18:32 PM , Rating: 5
He's not saying they shouldn't be punished, he's saying that the system is largely skewed in favor of corporations and those in powerful positions.

The bank example is a good one. They definitely do millions in damages to people through those schemes yet get hit with incredibly lenient sentences comparatively. Even in other areas our justice system is F'ed. Drug sentencing is a great example, as are the big "pirating" cases that have hit (with incredibly unreasonable fines). Here's a controversial one: do you think a sex offender should serve a longer minimum sentence than a murderer while defending themselves as "guilty until proven innocent"? More common than you'd think.

Everything needs to be re-worked because as Anonymous claimed, we crossed that "cruel and unreasonable punishment" line a long time ago to protect corporate interests and political mongering.


RE: These sentences are ridiculous
By cubby1223 on 2/9/13, Rating: 0
By roykahn on 2/9/2013 11:54:19 PM , Rating: 2
You sound just like any tyrant who is describing rebellious groups of people. Say hi to Bashar for me.

Any group of people who seek to improve their rights and raise awareness through civil disobedience go through the same criticism. History repeats.


RE: These sentences are ridiculous
By ritualm on 2/8/2013 6:27:02 PM , Rating: 1
You personally said we should punish black hat hackers with prison terms because they are an affront to the so-called law and order in "a nation of laws".

Meanwhile, because we're sending these folks to prison and Death Row, we find ourselves unable to defend against black hat hackers from the Chinese PLA wreaking havoc on our information systems.

Ammohunt, how does it feel to repeatedly shoot yourself in the foot while your neighbor has your jugular vein squarely in their AR-15 crosshairs?


RE: These sentences are ridiculous
By Armageddonite on 2/8/2013 7:23:35 PM , Rating: 2
1. Which hackers have been sent to "Death Row"?? Provide names.

2. The Chinese hackers usually attack the same targets as Anonymous. These so-called hacktivists are not heroes, they're as bad as a hostile foreign organization.

3. Ammohunt's alleged psychotic neighbor has nothing to do with this discussion.


RE: These sentences are ridiculous
By ritualm on 2/9/2013 1:40:09 PM , Rating: 3
quote:
1. Which hackers have been sent to "Death Row"?? Provide names.

2. The Chinese hackers usually attack the same targets as Anonymous. These so-called hacktivists are not heroes, they're as bad as a hostile foreign organization.

3. Ammohunt's alleged psychotic neighbor has nothing to do with this discussion.

1. Exactly how many white-collar financial executives were sent to prison with hefty jail terms or Death Row over their misdeeds, which affected thousands of innocent people and cost taxpayers upwards of billions?

Now compare to how many computer-literate and savvy folks who received jail terms for their comparatively-harmless behavior?

You don't need quack scientists to see why this is full of bull.

2. The problem with your rationale is we're actively sending our best and brightest in computer security into prisons and/or exporting them to China. Why bother to improve information security this side of the globe when doing just that lands you lengthy jail terms and a guaranteed conviction that bars you from ever constructively contributing to society?

When merely unlocking your phone results in a $1-million fine plus many weeks behind bars, why bother?

The political leaders in Washington currently do not care about cybersecurity of this nation, which is already worrisome enough. But to create more disincentives through repressive law regimes towards decreasing the likelihood of standing on the loser side of cyberwar?

What the hell is wrong with you?

3. You haven't read his latest posts:
quote:
So China employs criminals and we put them in jail. As a nation of laws i am not seeing the issue here. If these blackhats had any concern for western civilization they would put on a white hat and contribute to society in a positive way.

quote:
This is not the movies! black hats with any skill are in it for personal gain, creating chaos and perhaps the thrill of being bad. Asking them to fight for a concept foreign to them such as the greater good as defined by someone else is laughable at best.

Number one - and I'm sure you'll agree - there is no such thing as a "nation of laws" in this country. What laws? The DMCA, Patriot Act, Department of Homeland Security... these aren't enough proof that the upper echelons of power is ridden with criminals? We even have a president willing to bend us all over with obscure Executive Orders, completely bypassing what little judicial protections and measures that still exist.

Number two - those hacktivists are not the problem. The root cause is none of the retards at Washington DC takes cybersecurity seriously. All half-assed appearances at beginner security theater, nothing of real substantial value is done, forcing the rest of us to take matters into our own hands. Oh but we cannot do that because that act alone is a criminal felony!

Number three - is this really the message you want to advertise to China? To encourage them to continue hacking us, because we're leaving the door wide open for their e-thieving fingers, while believing there is absolutely no downside in cutting the hands that feed us?

Both you and Ammohunt are delusional.


By hero_of_zero on 2/9/2013 5:18:09 PM , Rating: 2
Executive Orders bit you mad because that the only real power your prez even has?Take that power away then what power would the elected prez have?It would turn him and or her into the queen of england.Be there for show but can't do jack.
Then you could just removed the position of prez and let your fine fine senate and your excellent highly loved congress with it super duper high approval rating fun free ...


By Simple_Man on 2/10/2013 6:28:00 PM , Rating: 2
1. Names? http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/pdf/PL... What names? http://epic.org/privacy/terrorism/usapatriot/

quote:
"because a truly skeptical position would be a very uncertain one"


RE: These sentences are ridiculous
By Ammohunt on 2/11/2013 11:07:55 AM , Rating: 2
quote:
Ammohunt, how does it feel to repeatedly shoot yourself in the foot while your neighbor has your jugular vein squarely in their AR-15 crosshairs?


That would be a sight to see! My neighbours are ex-Mennonite pacifist hippies good people just wrong.


RE: These sentences are ridiculous
By Ammohunt on 2/11/2013 11:24:24 AM , Rating: 1
And by the way if these guys want to change the world you don't do it piss ant by overt action. You do it by changing minds and building a majority opinion. They have the same problem that all these anti-governemnt guys with a desire to start a revolution do; i.e. you don't bomb a federal building affecting innocent people and expect everyone to endear themselves to you and join you in a revolution! Sinn Féin ring a bell? If you can convince ordinary people your ideas are better they will for the most part naturally follow your lead..i see no leadership in Anonymous. Anonymous actions appear to most as a spoiled malcontent minority opinion throwing a tantrum = net affect 0.


"This is from the DailyTech.com. It's a science website." -- Rush Limbaugh














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki