Dumbasses didn't even encrypt our data. Not sure what this says. Talk about a security lapse. Thanks assholes, now I have to worry about something else.

The frustrating part is WE will never know whom is really behind it due to media control. If they print it people will believe it to further their cause....

Anonymous or ? et al....

A hundred years ago, you had to decide if your money was safer in a local bank, or if you should still keep it locked up at home.

Today, you are faced with the same decision. But you can't go look at the impressive safe, or stern-looking guards.

Credit card companies publish standards for safekeeping data. But for those people in the industry, they are often considered a list to be checked off. Also, many people have been breached, while being certified as compliant with PCI-DSS standards. Hannaford is arguably the most famous on that list.

What is truly needed is something akin to a visible score by the local public health department. You get inspected, and get a visible grade. But a lot of companies do not wish to do that. If you got an "F", the bad guys would swarm like vultures. If you get an "A", some folks would take it as a challenge. So companies (including mine) adopt a low profile. We take the home security approach: "I don't have to be Fort Knox, I just have to be strong enough that you go break in someplace else." And we are pretty freaking strong.

But these days there are so many robbers, and so many tools, that break-ins seem inevitable. And if they are really, really good, your data is copied and you never know it's gone.

I honestly foresee a growth in data surety programs, where third-parties offer "seals of approval". And wait for the lawyers to get involved in that. "You besmirched my good name, sir!" Ever been sued by a Fortune 10 company? It's fun to watch, but only from the sidelines.

Security should be baked in, not bolted on. That's the problem today. People are trying to retrofit security on existing systems, due to cost constraints. And that just does not work.

So your money all boils down to money, just like you thought.

A hundred years ago, you had to decide if your money was safer in a local bank, or if you should still keep it locked up at home ...

Phenomenal analysis SS, as per usual.

AC

And these guys are supposed to be on top of their shit.


Dear Stratfor Member,

On December 24th an unauthorized party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.

Also publicly released was a list of our members which the unauthorized party claimed to be Stratfor's "private clients." Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications.

We have also retained the services of a leading identity theft protection and monitoring service on behalf of the Stratfor members that have been impacted by these events. Details regarding the services to be provided will be forwarded in a subsequent email that is to be delivered to the impacted members no later than Wednesday, December 28th.

In the interim, precautions that can be taken by you to minimize and prevent the misuse of information which may have been disclosed include the following:

- contact your financial institution and inform them of this incident;
- if you see any unauthorized activity on your accounts promptly notify your financial institution;
- submit a complaint with the Federal Trade Commission ("FTC") by calling 1-877-ID-THEFT (1-877- 438-4338) or online at https://www.ftccomplaintassistant.gov/; and
- contact the three U.S. credit reporting agencies: Equifax (http://www.equifax.com/ or (800) 685-1111), Experian (http://www.experian.com/ or (888) 397-3742), and TransUnion (http://www.transunion.com/ or (800) 888-4213), to obtain a free credit report from each.

Even if you do not find any suspicious activity on your initial credit reports, the FTC recommends that you check your credit reports periodically. Checking your credit reports can help you spot problems and address them quickly.

To ease any concerns you may have about your personal information going forward, we have also retained an experienced outside consultant that specializes in such security matters to bolster our existing efforts on these issues as we work to better serve you. We are on top of the situation and will continue to be vigilant in our implementation of the latest, and most comprehensive, data security measures.

We are also working to restore access to our website and continuing to work closely with law enforcement regarding these matters. We will continue to update you regarding the status of these matters.

Again, my sincerest apologies for this unfortunate incident.

Sincerely,

George Friedman

That email had my blood boiling.

Hey, FBI, 'bout time to really go after Anonymous, don't you think?

Wait, Obama likes what they are doing.

The FBI and other TLA's are pursuing Anonymous. There have been arrests made.

The problem is that they are such a diffuse group as to defy the term "organization". It's not like taking down a Mafia family, where you have clearly delineated command structures and crews.

This is not meant to defend our current President, AG, or other folks I am not personally fond of. Just pointing out that it can be difficult to find these people and making a indictable case. It's more complicated than saying "Get 'em, boys!"

I know that most of you are just expressing frustration. I'd sleep much easier without these folks ever touching a computer again, myself.

STRATFOR isn't all that. If you go back and look at many of their predictions and information it's mediocre at best.

No one should be surprised by Anonymous' ability to hack. Our own government can't protect most of government agencies from being hacked by the Russians or Chinese.

It's obvious that Anonymous has some seriously smart people in their organization.

I guess this is one advantage to being broke.

I also never got scammed by Madoff.

Getting rich is only the first half of the battle, keeping it is the other.

I don't concur with a blanket assertion of medocrity, and am not sure that Stratfor's strengths lie in forecasting as much as with providing a broader context for understanding current events; that said, I would not want to be their IT department head right about now. It seems puzzling that more precautions weren't taken, given the nature of their livelihood. The e-mail updates going out on their mailing list right now smack of desperation, and rightfully so. Thank goodness their individual subscription rates were always high enough to dissuade me from giving them my credit card number.

AC

No one should be surprised by Anonymous' ability to hack. Our own government can't protect most of government agencies from being hacked by the Russians or Chinese.

It's obvious that Anonymous has some seriously smart people in their organization.

Actually, most of America's civil and govt infrastructure is shockingly vulnerable to attack. We are WIDE open to a full scale cyber attack and we may have some difficulty determining who did it.

We spend trillions in "defense" to support a Cold War era military/industrial/congressional complex.

Actually, most of America's civil and govt infrastructure is shockingly vulnerable to attack. We are WIDE open to a full scale cyber attack and we may have some difficulty determining who did it.

We spend trillions in "defense" to support a Cold War era military/industrial/congressional complex.

It's going to take another 9/11 but in a cyber sense to wake us up, and will probably be matched by a post-9/11 in trampling of privacy.

I don't concur with a blanket assertion of medocrity, and am not sure that Stratfor's strengths lie in forecasting as much as with providing a broader context for understanding current events...

Exactly.

I'm comfortably in my lane here.

I think many of us have found ourselves in the position of recommending a course of action, and having it shot down due to costs.

Good defenses cost money in two ways. You either buy technology (an okay method) or you hire smart people and let them do what they need to do. The second method can be just as expensive or more expensive, and it's often viewed as a waste. But smart people are better. Security is not magic pixie dust you sprinkle on a router or network, it's a process that involves every swinging Richard in the organization.

If you build a highly-secure environment, and do not get breached, a LOT of managers (not leaders) view that as a waste. Trust me, I've sat in rooms and listened to that very statement, from people that get paid over a million dollars a year.

If you build a combat outpost or firebase in the middle of bad guy country and don't get attacked, will some pencil neck back in the States accuse you of wasting all that money?

You respond with "Shut yer cakehole, I spent the money and all my guys are coming home alive." But the beancounter never sees the enemy.

There are a lot of us geeks that see the enemy, and even talk to them at times. Go to Black Hat or Def Con. Fire up mIRC and chat with some friendly Ukrainians.

So it is entirely possible that they could have some serious uber-geeks who know what to do, but get denied funding. Sound familiar? Not everybody gets Noveske's; sometimes they buy you Shrubmasters. So you bitch a little, and fix the stuff as best you can.

I don't know anybody at StratFor, but I bet somebody here does. They might be Alpha Geeks, or they could be Geek Squad rejects from Worst Try.

But it's entirely possible they will get fired as sacrificial lambs, for not protecting something they were not given the tools to protect. Technology costs money, so does brains. But management always sees IT as a cost center, and very rarely as a competitive edge.

This is not a defense of Stratfor, and this is not an attack on any poster here. It's an explanation. I want a dollar for every time I have said "So you trust me at 3 am in a server farm, but you don't trust me at 3 pm across a conference table."

Somebody eff'd up. But I'll bet you a box of Hornady TAP it was a VP that opened an infected email that compromised his user account. So the same booger eater that denies the money also infects the company. I've helped clean up three other organizations where spearfishing or whaling was exactly how they got hit.

Search and assess can be applied multiple ways.

WARNING!!! ALERT!!! Hacker collective Anonymous has just dumped 200 GB of names, email addresses and passwords for around 860,000 Stratfor users. Anonymous also exposed credit card numbers for 75,000 paying customers of Stratfor. (http://www.washingtonpost.com/business/technology/anonymous-exposes-860k-stratfor-users-and-75k-credit-card-numbers/2011/12/30/gIQA5oXqQP_story.html)

“It’s time to dump the full 75,000 names, addresses, CCs and md5 hashed passwords to every customer that has ever paid Stratfor. But that’s not all: we’re also dumping ~860,000 usernames, email addresses, and md5 hashed passwords for everyone who’s ever registered on Stratfor’s site… Did you notice 50,000 of these email addresses are .mil and .gov?”

Want to wager how many of those people have the same user name and password on their online banking site?

Irish, thanks for the warning about the release.

Brief article in the NYT: http://www.nytimes.com/2011/12/30/technology/hacker-attacks-like-stratfors-require-fast-response.html?ref=technology

Reiterates some of the same points made by SeriousStudent above.

NYT also reporting another hack by Anonymous on a veterans owned website Special Forces, which apparently sells military-inspired merchandise, once again obtaining CC info and passwords of customers. Here's the link: http://bits.blogs.nytimes.com/2011/12/29/stratfor-hackers-claim-another-attack/

How credible is the information of an organization who was unable to predict that their own systems would be subject to a very simple attack by a group of amateurs?

Every good hotel in town knows how to protect their high end client's privacy and security.

Brief article in the NYT: http://www.nytimes.com/2011/12/30/technology/hacker-attacks-like-stratfors-require-fast-response.html?ref=technology

Reiterates some of the same points made by SeriousStudent above.

NYT also reporting another hack by Anonymous on a veterans owned website Special Forces, which apparently sells military-inspired merchandise, once again obtaining CC info and passwords of customers. Here's the link: http://bits.blogs.nytimes.com/2011/12/29/stratfor-hackers-claim-another-attack/

Kevin Mandia is a sharp guy. He was really good at the FBI, and left to form Mandiant. He recruited some very sharp folks from the Air Force and other places.

If your cookies are on fire, he's one of the people that can get them out of the oven. He and his folks also publish a lot of free tools worth investigating.

How credible is the information of an organization who was unable to predict that their own systems would be subject to a very simple attack by a group of amateurs?

Every good hotel in town knows how to protect their high end client's privacy and security.

I would be very hesitant to charactarize Anonymous as a group of amatuers. They have a broad and disparate membership, with varying skill levels.

It's akin to saying "They are just a bunch of Soldiers." Well, you have folks that shouldn't be issued water for their squirt guns, and you have stone cold professionals that would chill anyone's blood.

Armati, I'm not talking smack to you at all. I respect what you have taught me on this site.

All it takes is a single vulnerability on an exposed system, and you are off to the races. Penetration testers use a huge array of tools and knowledge to jump from system to system, the way troops used island hopping in WWII. I've compromised a single externally-facing system that someone forgot to patch just once, and from there went inside for the crown jewels.

One group did an analysis of the StratFor customer password hashes that were released. The thing that was really sad was the lack of strong passwords, by people that should have known better. Their own customers who were interested in security: many of them used shitty passwords.

http://www.thetechherald.com/articles/Report-Analysis-of-the-Stratfor-Password-List

There are a lot of "password safes" that you can use, to store complex passwords and still have them available for easy use. This one is not bad, and is free:

http://www.keepass.info/

There are other apps that work for iPhones and Droids. Some will sync your passwords with "the cloud", so they are available on many devices. Paranoid bastige that I am, I don't trust anyone but me and my dog, and I keep an eye on the dog.

This stuff is honestly another form of terrorism. You have to be perfect, they only have to get lucky once to potentially make millions. And remember that computer crime generates more cash worldwide than illegal drugs, and is much safer for the criminals. Billions of dollars are stolen every month. So they can afford to hire very skilled people, and they do.

And guess how many computer-skilled cops are chasing them? Not enough, because the money is in the private sector. The good thing is that there are organizations that work together cooperatively.

Besides, when the cops find out you are a geek that likes guns, all sorts of fascinating conversations happen. :D

I would be very hesitant to charactarize Anonymous as a group of amatuers. They have a broad and disparate membership, with varying skill levels.

It's akin to saying "They are just a bunch of Soldiers." Well, you have folks that shouldn't be issued water for their squirt guns, and you have stone cold professionals that would chill anyone's blood.

Armati, I'm not talking smack to you at all. I respect what you have taught me on this site.

Naw homie, it's all good.

But what I am saying is that this was not a State sponsored attack. It was a bunch of enthusiasts, many of whom who have never met each other, mounted an attack on the PII of influential people in the security sector.

STATFOR should be fully aware of the sort of target it represents to the hacker community. As an intel analysis outfit they should be aware of asymmetrical cyber warfare, what sort of targets the hacker community is targeting, and what their ideological motivations are.

If they (and quite a few other organizations) cannot figure this out, I recommend they start reading 2600, find out when the next convention is, and get a read on the bomb throwing anarchists of the cyber world.

Now, if they (and others) cannot crack this nut, then they are ****ED when they have to go toe-to-toe with the Russians, the Chinese, North Korea and possibly Iran.

I follow you, and agree with you. Threat modeling is not just something you do as a bomber pilot. If you are a smart geek, you do it as well. I've taught classes on exactly that topic.

They did have a big red dot on their chests, just like HBGary and others. I think the old days of "I just need to be tougher to break into than my neighbor" are gone. The attack tools are automated, and require minimal skill sets. So the knowledge level of the defenders needs to be much higher.

Statistically speaking, the majority of the "members" of Anonymous probably are script-kiddies. The challenge is that it eventually becomes Darwinian. Much like the folks that oppose you and your Soldiers, those lacking skill are quickly removed from the field.

And I do read 2600, I just make a point of paying cash for it at the store. ;) I'm not sure who watches what subscription lists.

I did some more reading, and touched base with some people. What is now claimed is that they stored hashes, rather than the actual user passwords. They did keep credit card numbers, but you can thank the credit card companies for that. If they do not store them and a customer disputes the charge, they are not paid for that transaction.

I've worked with companies that take in tens of billions of dollars a year in credit card transactions. None of them want to keep CCN's. But they don't really have a choice.

As disappointing as this breach was, it's nothing compared to what has happened with some of the major banks. I actually have two banks now. One for the mortgage and checking, and my "real money" is in another. The first had a low rate. The second bank is really an IT security firm that loans money.

Speaking of conventions, you should go to DefCon - the Wall of Sheep is always fascinating reading. And if I see somebody from StratFor the next time I'm at Black Hat, I'll be sure and knee them in the groin for you. ;)

Stay on top of this if you were a subscriber. My email acct. and cc associated with the site have been compromised.

I got spammed today (I think) with 3-4 emails with multiple links from a george.friedman with a "Rate Stratfor's Incident Response" subject line.

Text referred to "the recent intrusion by those deranged, sexually deviant criminal hacker terrorist masterminds."

WTF?

MD - Here's a real email I got from them yesterday.


Dear Stratfor Reader,

While addressing matters related to the breach of Stratfor’s data systems, the company has been made aware of false and misleading communications that have circulated within recent days. Specifically, there is a fraudulent email that appears to come from George.Friedman[at]Stratfor.com.

I want to assure everyone that this is not my email address and that any communication from this address is not from me. I also want to assure everyone that Stratfor would never ask customers and friends to provide personal information through the type of attachment that was part of the email at issue. This email, and all similar ones, are false and attempt to prey on the privacy concerns of customers and friends. We strongly discourage you from opening such attachments. We deeply regret the inconvenience this latest development has created.

While Stratfor works to reestablish its data systems and web presence, we ask everyone to please look for official communications, such as this one, and to monitor the Stratfor Facebook page and Twitter feed for company-approved communications.

Thank you for your patience.

Please direct any questions and concerns to feedback@stratfor.com.

Sincerely,

George Friedman

Thanks for the clarification. I did not have a paid Stratfor subscription but had accessed their site and registered. Worst case, I suppose the hackers may have my email. No CC or personal info.