Stratfor: Globally intelligent or universally stupid?
Stratfor is a secretive, shadowy, somewhat-scary company that refers to itself as a "geopolitical intelligence and consulting firm." The company attracted (unwanted) attention in 2011 for a website data breach, finding itself "pwned" by hackivist group AntiSec, and highly embarrased to boot. The incident and resulting data theft revealed details on hundreds of high-profile clients, all of which were uploaded to data-leak haven Wikileaks.
Why was Stratfor so easily hacked? According to new reports based on leaked internal documents, Stratfor should pay as much attention to its own security as much as it does everyone else's.
In IT Blogwatch, bloggers forge new identities and start over.
Filling in for our humble blogwatcher Richi Jennings, is a humbler Stephen Glasskeys.
In December 2011, a group of skilled hackers broke into the network of Strategic Forecasting, Inc. (Stratfor), compromising the personal data of some 860,000 customers, including a former U.S. vice president, CIA director, and secretary of state, among others.
The hackers, [known as] AntiSec, exfiltrated approximately 60,000 credit card numbers and associated data. ... Roughly 5 million internal emails were obtained by the hackers and later released by the whistleblower organization WikiLeaks.
Based on...internal documents ...Stratfor employed substandard cybersecurity prior to the infiltration that left thousands of customers vulnerable to potential identity theft. MORE
[The] leaked report said that Stratfor had failed to harden its systems in almost any fashion before the hack took place.
Despite having a nominal e-commerce environment for its website, database and e-commerce systems, and a corporate environment for its office employees, the report said that Stratfor had failed to segment its networks, and systems interacting with cardholder data were directly accessible from the corporate subnet. MORE
[A security audit by Verizon] noted that the database driving Stratfor's customer facing website contained a large amount of sensitive information in plain text.
The hackers tried to remove evidence of their activities by executing the UNIX 'rm-rf' command at the top level root directory, and succeeded in deleting the data on it and disabling the Stratfor web server. Prior to that, the Stratfor webserver was defaced by Anonymous. MORE
The worst defense: Stratfor had no antivirus,no password policy. MORE
Stratfor met only 3 of 12 fraud prevention requirements [according to] leaked Verizon report. MORE
Stratfor entirely lacked a password management policy when a FBI informant directed hackers to infiltrate its network. MORE
Your humble blogwatcher writes: An earlier version of this post contained an extremely unfortunate phrase. This was not what the compiler intended to say. We're extremely sorry for this.