[ISN] Hackers threaten bond auctions

From: InfoSec News (alerts@private)
Date: Tue Sep 05 2006 - 23:08:31 PDT


http://australianit.news.com.au/articles/0,7204,20330947%5E15841%5E%5Enbv%5E,00.html
 
SEPTEMBER 05, 2006
The Australian

DISTRICT banks controlled by the US Federal Reserve have inadequate
security for online auctions of Treasury bonds, leaving information
and systems vulnerable to hackers, the US Government Accountability
Office claims.

The office, the investigative arm of Congress, recommends in a report
released last week that the Fed form an "effective management
structure" for co-ordinating security, and find a way to test auction
software.

The Fed acknowledges the problems, with qualifications. It says it has
fixed many glitches and claims remaining security gaps wouldn't
necessarily permit access violations.

Fed banks help the Treasury process trillions of dollars in bids.

The banks developed software that compares auction bids and determines
how much to award to each bidder.

Louise Roseman, director of the Fed board's Division of Reserve Bank
Operations and Payment Systems in Washington, says in a response
included in the office's report that officials "have taken corrective
actions to remediate many of the findings in the report".

"Although we consider the information security control vulnerabilities
identified in the Treasury auction system report significant and
warranting our serious attention, they should not be construed as
allowing successful circumvention of Treasury auction management and
business operational controls," Roseman says on behalf of Fed chairman
Ben Bernanke.

The office says the Fed banks are vulnerable to hackers for several
reasons: including that anyone on the internet may have been able to
reset a user's password, data encryption isn't strong enough and the
auction application process isn't sufficiently monitored.


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Tue Sep 05 2006 - 23:26:05 PDT