Richi Jennings

Intelligence firm Stratfor wasn't very smart about data security

June 16, 2014 6:43 AM EDT


Stratfor: Globally intelligent or universally stupid?

Stratfor is a secretive, shadowy, somewhat-scary company that refers to itself as a "geopolitical intelligence and consulting firm." The company attracted (unwanted) attention in 2011 for a website data breach, finding itself "pwned" by hackivist group AntiSec, and highly embarrased to boot. The incident and resulting data theft revealed details on hundreds of high-profile clients, all of which were uploaded to data-leak haven Wikileaks.

Why was Stratfor so easily hacked? According to new reports based on leaked internal documents, Stratfor should pay as much attention to its own security as much as it does everyone else's.

In IT Blogwatch, bloggers forge new identities and start over.

Filling in for our humble blogwatcher Richi Jennings, is a humbler Stephen Glasskeys.

 
Dell Cameron speaks of mastication, hackification, transubstantiation and exfiltration of PII:

In December 2011, a group of skilled hackers broke into the network of Strategic Forecasting, Inc. (Stratfor), compromising the personal data of some 860,000 customers, including a former U.S. vice president, CIA director, and secretary of state, among others.
...
The hackers, [known as] AntiSec, exfiltrated approximately 60,000 credit card numbers and associated data. ... Roughly 5 million internal emails were obtained by the hackers and later released by the whistleblower organization WikiLeaks.
...
Based on...internal documents ...Stratfor employed substandard cybersecurity prior to the infiltration that left thousands of customers vulnerable to potential identity theft.   MORE


 
And Chris Duckett finds them easy to read:

[The] leaked report said that Stratfor had failed to harden its systems in almost any fashion before the hack took place.
...
Despite having a nominal e-commerce environment for its website, database and e-commerce systems, and a corporate environment for its office employees, the report said that Stratfor had failed to segment its networks, and systems interacting with cardholder data were directly accessible from the corporate subnet.  MORE


 
So easy to read -- and easy to recursively remove by force, says Juha Saarinen:

[A security audit by Verizon] noted that the database driving Stratfor's customer facing website contained a large amount of sensitive information in plain text.
...
The hackers tried to remove evidence of their activities by executing the UNIX 'rm-rf' command at the top level root directory, and succeeded in deleting the data on it and disabling the Stratfor web server. Prior to that, the Stratfor webserver was defaced by Anonymous.  MORE


 
But Peter W. Singer finds that indefensible:

The worst defense: Stratfor had no antivirus,no password policy.  MORE


 
And Dan Stuckey tries to prevent it from happening again:

Stratfor met only 3 of 12 fraud prevention requirements [according to] leaked Verizon report.  MORE


 
Meanwhile, Andrew Panda Blake informs about the FBI:

Stratfor entirely lacked a password management policy when a FBI informant directed hackers to infiltrate its network.  MORE

 

Your humble blogwatcher writes: An earlier version of this post contained an extremely unfortunate phrase. This was not what the compiler intended to say. We're extremely sorry for this.

 

 

Subscribe now to the Blogs Newsletter for a daily summary of the most recent and relevant blog posts at Computerworld.