The website of global intelligence-analysing firm Stratfor remains offline - a week after hacktivists broke into its poorly secured systems and extracted passwords and credit card details. Members of Anonymous claimed to have broken into the website and slurped 200GB of sensitive information on Christmas Eve. The hackers claim …
"...Stratfor clients include the US military...."
"...Hacktivists boasted that they planned to use the purloined credit card data to make donations to various charities,..."
CSID - meh
"As a result, we have provided paid subscribers with identity protection coverage from CSID, a leading provider of global identity protection, at our expense for 12 months."
The offer was made using an email that actually looked like a phishing attempt (the link shown and the URL did not agree), and CSID weren't set up for the offer anyway, so many people found themselves looking at 404 or other errors when trying to access the site.
An e-mail sent to CSID's support address asking for assistance remains unanswered a week after being sent.
A support ticket submitted via CSID's own website resulted in a standardised reply to a completely different question - having asked how to subscribe to the offered services, I received information about how to recover the password I had not yet set. Less than impressive, but in the end I did manage to locate the right part of their site - which again didn't agree with the info provided by the e-mail invitation.
The 'cover' provided basically means that CSID will keep an eye open to see if ONE mail address, ONE phone number and up to FOUR credit card numbers per person are being bandied about on the Interwebs... which since I already know that the mail address and a credit card number were compromised doesn't really help me an awful lot to be honest, especially since the card's been cancelled as a precaution.
Oh and... CSID were almost certainly chosen not because of the standard of service provided, but because, like Stratfor, they are based in Austin, Texas - so their principals almost certainly know each other if they're both active in the local business community. Just saying.
The CSID sop is just there to make it look like they are a half-way decent organisation, but as you say there doesnt seem much point in having a company monitor to see if your card details have been compromised AFTER they have been compromised.
"Security firms slammed Stratfor for making schoolboy errors, such as not encrypting its password database."
They want to be put out of business for stuff like that! Never mind the police investigating the hackers - investigate this lot and their shitty security! Doesn't the DPA have something to say about things like this?
Quite - I created a hobby website for a MMORPG clan with password auth about 10 years ago and encrypted the passwords (MD5, IIRC) before they hit the database as a matter of course, even though the data really wasn't that interesting or important. If someone forgot their password, an admin had to reset it. My guess is that they wanted to be able to email out people's forgotten passwords, which is convenient, but poor security.
Also, PCI-DSS standards forbid storing credit card information unencrypted anywhere on disk, so that should set alarm bells going too.
not so sure
The really strange thing about all of this is that I looked up my password from the website showing off the leak and they had the wrong password for my Stratfor account..
All of this makes me suspect that someone is exaggerating what all got out.
Not that I'm taking my chances mind you, I have double checked that I haven't used a variation of that password anywhere else and my Credit Card is canceled.
I'm not convinced the DPA has much to say about an American company's American databases on their American servers in America.
Well, unless they also have something called "the DPA"
My understanding is that passwords were hashed. It's credit card and other sensitive ID information that was not. md5 is useless for these things, because you need to be able to decrypt them for repeat billing and the like (otherwise it'd be safer not to store them at all)
Without knowing what hashing algorithm was used for the passwords, it's impossible to speak with confidence, but there's always a possibility of hash collisions -- you may have had the world's greatest password, but a weak hashing algorithm might result in a collision with "password"123.
Password hashing is not the issue
@John Riddoch: Hashing the passwords (which is not, by the way, "encrypting" them) is not the issue. Note the bit in the article about "analysis" showing that many of the passwords were weak and so could be brute-forced; if they were kept in plaintext, no analysis or brute-forcing would be necessary. Passwords were almost certainly hashed - ie, discarded after computing a verifier, which was likely a salted cryptographic hash.
The problem is that people choose weak passwords. (The real problem is that passwords are an abysmal authentication mechanism, but that's an argument for another time. Oh, and contra another post, collisions are not worth worrying about if a cryptographic hash is used. While MD5 has been broken for preimage collisions, the probability of an accidental collision is vanishingly small. And it's unlikely Strafor were using anything more collision-prone.) And when people choose weak passwords, their hashes can be brute-forced with reasonable effort.
So you want to prevent attackers from getting password hashes in the first place. And one way to do that is to encrypt the hash store (which might be a file, a database table, etc). When the server starts, an administrator supplies it with the encryption key, and it decrypts the hash store or individual hashes in memory. Now the server can use the hashes to verify passwords, but someone who grabs the hash store can't extract the hashes unless they also get hold of the encryption key. Often those are separate problems - a vulnerability lets an attacker read arbitrary files from the server's filesystem, say, but not grab the encryption key from the server's memory.
As you may have realised, my collision comment was in response to the comment about Gerhard Mack's password being wrong, and even then I qualified it with a lack of confidence in my inference.
As for encrypting the has store -- that's all well and good, until it turns out that your hash store is a database table, and the front end to that database is vulnerable to sql injection. No idea if that had anything to do with how they got the password and billing details, but since stratfor got almost everything else wrong, it wouldn't surprise me if simple script kiddie stuff played a big part.
Just keep locking up Anonymous players
They'll eventually get the point.
The point being
not to tell the Emperor that he is, in fact, naked as the day he was born?
How is this an Emperor's new clothes story? Surely this is another Anonymous manage to hack someone who has poor security story? This still doesn't make what they're doing right, or justifiable though. Their current MO seems to be finding a target with poor security, then making up a story to justify what they've done.
Yes and yes.
"Surely this is another Anonymous manage to hack someone who has poor security story?" Yes, it is.
"How is this an Emperor's new clothes story?" Because Stratfor's "primary focus is to help clients with security" [wikipedia]. The rest of the logic is left as an exercise for the reader.
Note the large "citation needed" next to that line in the Wikipedia entry. It's there because the line actually very wrong.
Stratfor is not a security company it's a private intelligence service that keeps it's subscribers up to date on world events and their likely outcomes. While there is the odd video about physical security those videos aren't the majority and aren't the primary reason for the site. I have also never seen Stratfor claim to know anything about IT security.
"I have also never seen Stratfor claim to know anything about IT security."
And the existing evidence kind of shows they really didnt know anything. (however, see below)
Not only that but they were unwilling to spend money protecting their clients/customers/subscribers by paying someone who did.
Given their role in the world, its surprising people pay them money for intelligence updates - better to not spend the money on their skills and take the risk, just like they did.
BTW, the Stratfor site did say:
"Provides strategic intelligence on global business, economic, security and geopolitical affairs."
Before the takedown, they provided briefings like this one: http://www.stratfor.com/analysis/cyberwarfare_101_internet_mightier_sword
So they claim to have been able to provide "security intelligence" and historically claimed to provide intelligence on hackers (including trends, threats and attack vectors).
This kind of implies they knew what hackers did to compromise systems but assumed it would never happen to them.
The stark bonded truth ........ deny it if you must, mais c'est la vie au naturel
The System is a bit slow to realise that it is no longer in sole executive administrative control and therefore is absolute power lost and rapidly diminishing as currency is drained away to other power units ........ and SMART Power Units and growing SMARTer at a prodigious rate to boot, for a triple whammy of novel innovative change to renegade hopes.
"Two things are infinite: the universe and human stupidity; and I'm not even sure about the universe."~~ Albert Einstein (1879-1955)
Where I come from
we eschew all the multisyllabic obfuscation and just call it Red Terror.
This much we already know
Yes, such simplification and misdirection on such as are sophisticated alternate systems are fully expected of red necks, Aaron Em.
Use credit cards to
make donations to US political parties. One REALLY good use of the info - it will cost the pols more to get money.
Why wasn't ALL the data encrypted, for Azathoth's sake?
Nyarlathotep on a bike! How hard is it to understand that there is an endless supply of hackers out there and that therefore any publicly available data sink will be breached eventually so make sure all they get is pure gibberish?
CryptoWorld (typo fixed)
Why wasnt it all encrypted?
Because, in simple terms, the cheap way of doing this makes it too hard to use the data and companies are too tight fisted to protect things when it costs others to fix it.
If they were fined $100 per record breach, it would suddenly become massively cost effective for them to protect the data. (Better still, if each individual record owner could sue them for $100 it would be fairer).
The problem at the moment is that while the data has some value to the company (Stratfor here), having it compromised doesnt really present a scalable cost that they can envisage upfront. It is all hypothetical costs about reputational damage and the costs of remediation work (if any).
This means that businesses frequently make the cost-driven decision to neglect security, taking a risk with other people's data in the belief that if it does go wrong they can just PR their way out of it while the customers are left sorting out the issues.
Oddly it frequently works out this way (have Sony seen a reduction in sales?) and until the customers change, the businesses wont even consider it.
(Resubmitted to correct crucial typo in first line - sorry)
Stratfor's new company motto
Security - we just get paid to talk about it
- Does Apple's iOS 7 make you physically SICK? Try swallowing version 7.1
- Pics Indestructible Death Stars blow up planets with glowing KILL RAY
- Hands on Satisfy my scroll: El Reg gets claws on Windows 8.1 spring update
- Video Snowden: You can't trust SPOOKS with your DATA
- 166 days later: Space Station astronauts return to Earth