Dumbasses didn’t even encrypt our data. Not sure what this says. Talk about a security lapse. Thanks assholes, now I have to worry about something else.
The frustrating part is WE will never know whom is really behind it due to media control. If they print it people will believe it to further their cause…
Anonymous or ? et al…
A hundred years ago, you had to decide if your money was safer in a local bank, or if you should still keep it locked up at home.
Today, you are faced with the same decision. But you can’t go look at the impressive safe, or stern-looking guards.
Credit card companies publish standards for safekeeping data. But for those people in the industry, they are often considered a list to be checked off. Also, many people have been breached, while being certified as compliant with PCI-DSS standards. Hannaford is arguably the most famous on that list.
What is truly needed is something akin to a visible score by the local public health department. You get inspected, and get a visible grade. But a lot of companies do not wish to do that. If you got an “F”, the bad guys would swarm like vultures. If you get an “A”, some folks would take it as a challenge. So companies (including mine) adopt a low profile. We take the home security approach: “I don’t have to be Fort Knox, I just have to be strong enough that you go break in someplace else.” And we are pretty freaking strong.
But these days there are so many robbers, and so many tools, that break-ins seem inevitable. And if they are really, really good, your data is copied and you never know it’s gone.
I honestly foresee a growth in data surety programs, where third-parties offer “seals of approval”. And wait for the lawyers to get involved in that. “You besmirched my good name, sir!” Ever been sued by a Fortune 10 company? It’s fun to watch, but only from the sidelines.
Security should be baked in, not bolted on. That’s the problem today. People are trying to retrofit security on existing systems, due to cost constraints. And that just does not work.
So your money all boils down to money, just like you thought.
Phenomenal analysis SS, as per usual.
AC
And these guys are supposed to be on top of their shit.
Dear Stratfor Member,
On December 24th an unauthorized party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.
Also publicly released was a list of our members which the unauthorized party claimed to be Stratfor’s “private clients.” Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications.
We have also retained the services of a leading identity theft protection and monitoring service on behalf of the Stratfor members that have been impacted by these events. Details regarding the services to be provided will be forwarded in a subsequent email that is to be delivered to the impacted members no later than Wednesday, December 28th.
In the interim, precautions that can be taken by you to minimize and prevent the misuse of information which may have been disclosed include the following:
- contact your financial institution and inform them of this incident;
- if you see any unauthorized activity on your accounts promptly notify your financial institution;
- submit a complaint with the Federal Trade Commission (“FTC”) by calling 1-877-ID-THEFT (1-877- 438-4338) or online at https://www.ftccomplaintassistant.gov/; and
- contact the three U.S. credit reporting agencies: Equifax (http://www.equifax.com/ or (800) 685-1111), Experian (http://www.experian.com/ or (888) 397-3742), and TransUnion (http://www.transunion.com/ or (800) 888-4213), to obtain a free credit report from each.
Even if you do not find any suspicious activity on your initial credit reports, the FTC recommends that you check your credit reports periodically. Checking your credit reports can help you spot problems and address them quickly.
To ease any concerns you may have about your personal information going forward, we have also retained an experienced outside consultant that specializes in such security matters to bolster our existing efforts on these issues as we work to better serve you. We are on top of the situation and will continue to be vigilant in our implementation of the latest, and most comprehensive, data security measures.
We are also working to restore access to our website and continuing to work closely with law enforcement regarding these matters. We will continue to update you regarding the status of these matters.
Again, my sincerest apologies for this unfortunate incident.
Sincerely,
George Friedman
That email had my blood boiling.
Hey, FBI, 'bout time to really go after Anonymous, don’t you think?
Wait, Obama likes what they are doing.
The FBI and other TLA’s are pursuing Anonymous. There have been arrests made.
The problem is that they are such a diffuse group as to defy the term “organization”. It’s not like taking down a Mafia family, where you have clearly delineated command structures and crews.
This is not meant to defend our current President, AG, or other folks I am not personally fond of. Just pointing out that it can be difficult to find these people and making a indictable case. It’s more complicated than saying “Get 'em, boys!”
I know that most of you are just expressing frustration. I’d sleep much easier without these folks ever touching a computer again, myself.
STRATFOR isn’t all that. If you go back and look at many of their predictions and information it’s mediocre at best.
No one should be surprised by Anonymous’ ability to hack. Our own government can’t protect most of government agencies from being hacked by the Russians or Chinese.
It’s obvious that Anonymous has some seriously smart people in their organization.
I guess this is one advantage to being broke.
I also never got scammed by Madoff.
Getting rich is only the first half of the battle, keeping it is the other.
I don’t concur with a blanket assertion of medocrity, and am not sure that Stratfor’s strengths lie in forecasting as much as with providing a broader context for understanding current events; that said, I would not want to be their IT department head right about now. It seems puzzling that more precautions weren’t taken, given the nature of their livelihood. The e-mail updates going out on their mailing list right now smack of desperation, and rightfully so. Thank goodness their individual subscription rates were always high enough to dissuade me from giving them my credit card number.
AC
Actually, most of America’s civil and govt infrastructure is shockingly vulnerable to attack. We are WIDE open to a full scale cyber attack and we may have some difficulty determining who did it.
We spend trillions in “defense” to support a Cold War era military/industrial/congressional complex.
It’s going to take another 9/11 but in a cyber sense to wake us up, and will probably be matched by a post-9/11 in trampling of privacy.
Exactly.
I’m comfortably in my lane here.
I think many of us have found ourselves in the position of recommending a course of action, and having it shot down due to costs.
Good defenses cost money in two ways. You either buy technology (an okay method) or you hire smart people and let them do what they need to do. The second method can be just as expensive or more expensive, and it’s often viewed as a waste. But smart people are better. Security is not magic pixie dust you sprinkle on a router or network, it’s a process that involves every swinging Richard in the organization.
If you build a highly-secure environment, and do not get breached, a LOT of managers (not leaders) view that as a waste. Trust me, I’ve sat in rooms and listened to that very statement, from people that get paid over a million dollars a year.
If you build a combat outpost or firebase in the middle of bad guy country and don’t get attacked, will some pencil neck back in the States accuse you of wasting all that money?
You respond with “Shut yer cakehole, I spent the money and all my guys are coming home alive.” But the beancounter never sees the enemy.
There are a lot of us geeks that see the enemy, and even talk to them at times. Go to Black Hat or Def Con. Fire up mIRC and chat with some friendly Ukrainians.
So it is entirely possible that they could have some serious uber-geeks who know what to do, but get denied funding. Sound familiar? Not everybody gets Noveske’s; sometimes they buy you Shrubmasters. So you bitch a little, and fix the stuff as best you can.
I don’t know anybody at StratFor, but I bet somebody here does. They might be Alpha Geeks, or they could be Geek Squad rejects from Worst Try.
But it’s entirely possible they will get fired as sacrificial lambs, for not protecting something they were not given the tools to protect. Technology costs money, so does brains. But management always sees IT as a cost center, and very rarely as a competitive edge.
This is not a defense of Stratfor, and this is not an attack on any poster here. It’s an explanation. I want a dollar for every time I have said “So you trust me at 3 am in a server farm, but you don’t trust me at 3 pm across a conference table.”
Somebody eff’d up. But I’ll bet you a box of Hornady TAP it was a VP that opened an infected email that compromised his user account. So the same booger eater that denies the money also infects the company. I’ve helped clean up three other organizations where spearfishing or whaling was exactly how they got hit.
Search and assess can be applied multiple ways.
“It’s time to dump the full 75,000 names, addresses, CCs and md5 hashed passwords to every customer that has ever paid Stratfor. But that’s not all: we’re also dumping ~860,000 usernames, email addresses, and md5 hashed passwords for everyone who’s ever registered on Stratfor’s site… Did you notice 50,000 of these email addresses are .mil and .gov?”
Want to wager how many of those people have the same user name and password on their online banking site?
Irish, thanks for the warning about the release.
Brief article in the NYT: http://www.nytimes.com/2011/12/30/technology/hacker-attacks-like-stratfors-require-fast-response.html?ref=technology
Reiterates some of the same points made by SeriousStudent above.
NYT also reporting another hack by Anonymous on a veterans owned website Special Forces, which apparently sells military-inspired merchandise, once again obtaining CC info and passwords of customers. Here’s the link: http://bits.blogs.nytimes.com/2011/12/29/stratfor-hackers-claim-another-attack/
How credible is the information of an organization who was unable to predict that their own systems would be subject to a very simple attack by a group of amateurs?
Every good hotel in town knows how to protect their high end client’s privacy and security.
Kevin Mandia is a sharp guy. He was really good at the FBI, and left to form Mandiant. He recruited some very sharp folks from the Air Force and other places.
If your cookies are on fire, he’s one of the people that can get them out of the oven. He and his folks also publish a lot of free tools worth investigating.