What Stratfor said
Malware hits the Mac but is it worth worrying about?
At the start of this week, the main theme around Stratfor was the strength of the Anonymous assault and the brashness in publishing email addresses.
From this I read some interesting perspectives; cyber security expert Jeffrey Carr called it no big deal, as he publicises his email address on the web and an "email in and of itself means very little"; while we looked at some analysis of the passwords used that had been uncovered.
Looking at the Christmas attack itself, Eddy Willems, security evangelist at G Data, said: “Groups like Anonymous are now regularly and illegally taking down the real functionality of the internet as we know it, causing damage and destruction. This makes it increasingly problematic for any user wanting to put their credentials online.
“Companies like Stratfor need to ensure that all effective security measures are in place, which includes educating their employees about ever-changing threats.”
However, with the publication of a statement by founder and CEO George Friedman, that level of education seems to have been missed by the company entirely as he admitted that credit card files had not been encrypted.
He also admitted that he had previously been informed of a hack of the Stratfor website in early December, where customer credit card and other information had been stolen. He said the FBI had informed him there was an ongoing investigation that he was "not compelled to undermine".
He said: “From the beginning I faced a dilemma. I felt bound to protect our customers, who quickly had to be informed about the compromise of their privacy. I also felt bound to protect the investigation. That immediate problem was solved when the FBI told us it had informed the various credit card companies and had provided those companies with a list of compromised cards while omitting that it had come from us.
“Our customers were therefore protected, as the credit card companies knew the credit cards and other information had been stolen and could act to protect the customers.”
Friedman appeared to announce that he was well aware that it had not encrypted the credit card files, saying "we were under no illusion that this was going to be kept secret" and "we knew our reputation would be damaged by the revelation".
Despite taking full responsibility, Friedman appeared to blame the error on the company's rapid growth, saying that as it grew, the management team and administrative processes didn't grow with it.
He also said that Stratfor worked to improve its security infrastructure within the confines of time "and the desire to protect the investigation by not letting the attackers know that we knew of their intrusion".
However, the second attack on Christmas Eve proved its fallibility, as hackers, apparently from the Anonymous group, posted "a triumphant note on our homepage saying that credit card information had been stolen, that a large amount of email had been taken, and that four of our servers had been effectively destroyed along with data and backups".
Friedman said this attack was clearly designed to silence Stratfor by destroying records and the website, yet his attention was focused on trying to understand why anyone would want to do this.
In an indirect message to the attackers, Friedman said: “I don't know if the hackers who did this feel remorse as they discover that we aren't who they said we were. First, I don't know who they actually are and, second, I don't know what their motives were.
“I know only what people claiming to be them say. So I don't know if there is remorse or if their real purpose was to humiliate and silence us, in which case I don't know why they wanted that.”
He further questioned how successful they felt to have been, saying that the consequence of this action and others "will not be a glorious anarchy in the spirit of Guy Fawkes, but rather a massive repression".
“That's why I wonder who the hackers actually are and what cause they serve. I am curious as to whether they realise the whirlwind they are sowing, and whether they, in fact, are trying to generate the repression they say they oppose,” he said.
He concluded his statement with a "we're still here" message, and seemed to want to reassure customers that its security infrastructure was going to be stronger in future.
Carr said the worst aspect of the hack wasn't the release of email addresses, but Stratfor's "atrocious" handling of its members' credit card data and the state of its own network security.
Graeme Batsman from Data Defender previously said that a perfect network could be built by buying 70 desktop computers, a server and a method to back it up using encrypted tapes and, once a day, taking a copy of the server, encrypting it and placing it onto a tape. Store it offsite, he said, and that is a bullet-proof network.
“Companies, governments and military departments should really think about this method because attacks by Anonymous, LulzSec and foreign states will not decrease,” he said.
I asked Batsman what he thought of Friedman's comments; he said failing to encrypt credit card data and passwords is pretty bad, as most scripted websites have some form of basic one-way encryption (hash) on passwords.
He said: “If the password is weak it can sometimes be reversed. Even our website has one-way hashing on the database. We are a tiny company but we isolate each step. The website sits by itself and stores no data apart from front facing, while our email provider is totally separate and our core client data is not stored on the PC but on an external document management system and downloaded when needed, then uploaded and shredded.
“Obviously its too late now and they should have secured it before. With so many massive clients and military, you would even think the US military might audit them.”
Speaking to SC Magazine, Carr said he felt Friedman had exhibited a common phenomenon unique to C-level executives who've been hit with their first major attack: “An ego boost. Friedman actually thinks someone wanted to silence Stratfor, which is ridiculous. It's more likely that an insider was really pissed off.”
Carr called Friedman's statement "pretty much a standard apology and attempt to diminish the effect of the attack". He said others will probably follow suit, but it's hard to expect anything different coming from a corporation.
Among the responses to a cyber incident, this will stand out as being one of the most thorough and honest to come from a CEO. Friedman detailed the incident, took the blame and delivered a message of resiliency to customers and attackers alike. However, as the Liquid Matrix revealed, the site was later offline again due to the sheer volume of traffic, or a possible denial-of-service attack.