Monday, December 26, 2011

STRATFOR's STRATCOM Fail


My first instinct was; STRAFOR? Why STRATFOR?
On Saturday, hackers who say they are members of the collective known as Anonymous claimed responsibility for crashing the Web site of the group, Stratfor Global Intelligence Service, and pilfering its client list, e-mails and credit card information in an operation they say is intended to steal $1 million for donations to charity. The hackers posted a list online that they say contains Stratfor’s confidential client list as well as credit card details, passwords and home addresses for some 4,000 Stratfor clients. The hackers also said they had details for more than 90,000 credit card accounts. Among the organizations listed as Stratfor clients: Bank of America, the Defense Department, Doctors Without Borders, Lockheed Martin, Los Alamos National Laboratory and the United Nations.

The group also posted five receipts online that it said were of donations made with pilfered credit card details. One receipt showed a $180 donation from a United States Homeland Security employee, Edmund H. Tupay, to the American Red Cross. Another showed a $200 donation to the Red Cross from Allen Barr, a recently retired employee from the Texas Department of Banking.
Hey, I like those guys. Why didn't they pick on Greenpeace or sump'n? Now, I'm not a Ron Paul supporter, but my first instincts were to ponder - there must be some deeper conspiracy going on here ... what was REALLY on STRATFOR's servers .... and was this REALLY Anon ..... but then ....
Stratfor didn't just expose a website to the public. It also, apparently, put all this other stuff online, in the clear, for the taking.

It's true that websites are like storefronts, and that it's more or less impossible to stop determined people from blocking or defacing them now and again.

Here, however, it looks like Stratfor left private files in the window display, waiting to be grabbed by the first guy to put a brick through the glass.

Now, I'm not America's premier intelligence and security research group, and I'm not a member of its national IT security planning task force. But I'm pretty sure that putting unencrypted lists of credit card numbers and client details on public-exposed servers isn't quite explained by "no matter what you do, every system has some level of vulnerability."
Oh come on. Talk about an easy target. Ummmmm .... let me guess - no one will be contracting STRATFOR for cyber security work in the near future.

13 comments:

DeltaBravo said...

my thoughts exactly when I saw the headlines...  I'm sure they're reaching for the Excedrin and Maalox at Stratfor this morning.

Surfcaster said...

Did the web not learn from TJ Max?

Andy said...

Wow, given that STRATFOR regularly does essays on things like, um, cyber-security, this does seem like EPIC FAIL.  Which does lead one down a rabbit hole, starting with legal investigation 101: Who profits?  (from the hack, the damage to STRATFOR's rep, the access to the data and the data itself, among others)

ewok40k said...

Ouch! and I quite liked their free stuff on the geopolitics and security...
This is going to be a serious blow to STRATFOR, nobody wants to contract a bodyguard that gets mugged in broad daylight...

Jing said...

Honestly the only people who are willing to pay money to "Stratfor" and similar services are idiots spending other people's money. An OCD teenager with an internet connection can cobble together better "intelligence" and strategic analysis and he can be paid off with Mountain Dew and Cheetos.

FCC(SW) said...

You mean like Matt Drudge?

Dymaxion said...

I think Stratfor is good for what it is... an entry to mid-level intel group.   I like their service as "news which takes more time than most media outlets are willing to give"  Sure, they aren't the CIA, but I find their updates interesting.  Not so interesting that I'd pay to get them.  I agree that this has the potential to hit them hard, but I also wondered why Anon would bother with them.

pk said...

it sounds like stratfor has gotten or is getting close to someone  with a great deal of embarrassing stuff to hide and they are taking the "best offense" tack.

who can prove which side is right or wrong for that matter?

C

UltimaRatioRegis said...

Don't believe everything you read. 

I doubt seriously if STRATFOR did any such thing with unencrypted credit card or account information.  TJ MAXX knows better than that.

Part of the new paradigm is to attempt to portray companies which deal in network security as being lax in just those areas.  If unencrypted account information was on the public-access architecture, it is exceedingly likely that an exploit by Anon or someone allied with/hired by them was used to do so below the radar of internal network analysis.  This may have been perpetrated weeks or months ago.  And when Anon accesses those records, they can claim that STRATFOR or similar entities were careless.  It would take forensics months or even years to get to the truth, if they even could.

So, if you find yourself holding your head and yelling "I can't believe they did that!!!", there is a very good chance you shouldn't believe it.  Because they didn't.

Old Nuke said...

Matt Drudge has over a million hits per day and has made a FORTUNE at cobbleing together others works and links.

Old Nuke said...

I think you will find out that STRATFOR is running some kind of sting to determine who and what "ANONYMOUS" is.  I really do not think for a moment that they made themselves this vulnerable without a reason.

Anonymous said...

Interesting comments. My first thought was that it was done by a competitor, who either enlisted help of those folks or simply blamed them (and Anon doesn't know who it is any more than anyone else, and was eager to accept the credit). Since they've announced what they've done, it will be incredibly easy for anyone whose credit card has been compromised to get the money returned, so no charity will benefit from this. Of course, that assumes that anyone's credit card was actually compromised.

Curly said...

It dose not matter the reason that they stole this information. What matters is that THEY STOLD IT! If they catch the perpertraters they should have to repay all that they stold and the cost they caused. They should stan on parol until all is repaid. When convicted they should spend about two weeks in the worst prison then given the oppertunity to get out and go stright. If they commit another crime then they return to day one and serve all.