On Super Bowl Sunday, Anonymous released what it claimed were the usernames, passwords, and affiliations of 4,600 banking executives. Yesterday, the Fed confirmed that it had been hacked, and information stolen, while privately assuring the executives themselves that their passwords were never actually leaked.
The action was part of OpLastResort, inspired by the death of information freedom activist Aaron Swartz, to force the U.S. government to make sentences for hacktivism proportionate to the crime—i.e., to treat it as civil disobedience rather than a felony.
Other initiatives under the OpLastResort umbrella have included the dud “warhead” purporting to dox people in the witness protection program, and the hack of the U.S. Sentencing Commission website, among others, which were wiped and replaced with the arcade game Asteroids. USSC.gov remains “underconstruction” pending presumed security upgrades.
Information security consultant Jon Waldman told ZDnet that the Fed’s claim that passwords were not leaked is misleading if not plain false. “I’ve seen that list and it is absolutely rife with account details. Usernames and hashed passwords are included with salts. Anyone worth their weight in the technology field can decrypt a hashed password. The Fed did state that the passwords weren’t “compromised,” but that just means that they weren’t listed out in plain-text.” I’ve seen the list and agree with Waldman: The passwords are there, along with the keys to decrypt them.
The compromised system is the Emergency Communications System for banks, a sort of digital hotline between banks and the Fed, to be used in case of emergency—anything from natural disasters to alien attacks. The system data was accessed via a hack of the Alabama Criminal Justice Information Center, highlighting Anonymous’s OpLastResort focus on targeting the justice system. The site remains offline while being “sanitized” after the attack.
When the Fed alerted bankers to the breach, it had to resort to plain old email.
Image via Truthout/Flickr