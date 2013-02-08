By Alister Bull and Jim Finkle and Rick Rothacker
Feb 7 The U.S. Federal Reserve said on Thursday
it was still working to determine the extent its computer
systems had been breached by hackers, adding that the incident
was the subject of a criminal probe by the Federal Bureau of
Investigation.
"We are in the process of a comprehensive assessment to
determine what information might have been obtained in this
incident," said Federal Reserve spokesman Jim Strader. "We
remain confident that this incident did not affect critical
operations of the Federal Reserve."
The online intrusion, which has embarrassed the U.S. central
bank and raised questions about the effectiveness of its
security, was publicized on Sunday by activist group Anonymous.
The integrity of the Fed's systems is vital to ensure
confidence in its ability to securely transmit highly
confidential information, including communications about U.S.
monetary policy and the banks that it supervises.
The Fed statement on Thursday was its first explicit
acknowledgment that it did not yet know the extent of the
security breach. Cyber-security specialists say it takes time to
thoroughly investigate a stealthy intrusion by skilled hackers.
Anonymous claimed that it had published personal information
from more than 4,000 U.S. bank executives gleaned from a
password-protected Fed website.
The website, called the Emergency Communication System
(ECS), exists to provide bank contact information in the event
of a natural or other disaster. It is managed by the St. Louis
Federal Reserve Bank.
A message sent by the Fed to ECS users and obtained by
Reuters on Tuesday warned that personal information, including
mobile and business telephone numbers, email and business
addresses, had been obtained by the online intruders.
Strader said it was possible that more information might
still be released by the hackers, but declined to spell out if
data from a site other than the ECS had been obtained.
"This incident is the subject of an active criminal
investigation with the FBI and we cannot comment further," he
said.
The Fed also declined to comment on when the attack took
place, how long it took for the breach to be discovered and what
type of system or vulnerability was exploited.
A review by Reuters of the code on the ECS site home page
shows it runs on ColdFusion, a program used to build websites
that software maker Adobe Systems Inc patched in
mid-January to repair several critical security flaws.
The company said hackers could take advantage of those bugs
to break into computer systems, access restricted files and take
control of affected servers.
WARNINGS OF WEAKNESS
The Fed's inspector general recommended in a 2012 audit
published in November that the central bank implement a security
review process for third party systems located outside its
system. The Fed was not immediately able to clarify if the ECS
website breached by Anonymous fell in this category.
The information published by Anonymous so far has not
ruffled feathers among the bankers affected.
"It hasn't been much of a hassle," said Jo David Cummins,
president and CEO of Community First Bank of the Heartland in
Illinois. "The information that was on the contact system was
the same thing that was on my business card, so it wasn't like
it was anything that could do any harm to me or the bank."
The hacking claim was made via Twitter over an account
registered to OpLastResort, which is linked to Anonymous, a
loosely organized group of hacker activists who have claimed
responsibility for scores of attacks on government and corporate
sites over the past several years.
OpLastResort is a campaign that some hackers associated with
Anonymous have started to protest against the government's
prosecution of computer prodigy Aaron Swartz, who committed
suicide on Jan. 11.
Swartz was charged with using the Massachusetts Institute of
Technology's computer networks to steal more than 4 million
articles from JSTOR, an online archive and journal distribution
service. He faced a maximum sentence of 31 years if convicted.
Cyber-security specialists said they assumed the Fed is
under constant attack from hackers, including by state-sponsored
online snoopers, and that most strikes go unreported.
In a rare admission, the Cleveland Fed confirmed in 2010
that it had been attacked online. Cleveland Fed spokeswoman June
Gates said a test computer was compromised, but the hacker
failed to access any Fed information. The incident came to light
when the crime was prosecuted in a New York court in November
2010.