CYBEREYE

Anonymous hack of intell company Stratfor was all too easy

The year 2011 ended much like it began, with a high-profile breach by the hacktivist gadflies at Anonymous, who broke into the systems of the intelligence analysis company Strategic Forecasting, stole a lot of personally identifiable information, including credit card account data, and posted it online.

“We are currently investigating this unfortunate event and are working diligently to prevent it from ever happening again,” Stratfor said on its Web homepage.

Except for that notice, the website is down pending a security review and the company is communicating primarily via Twitter and Facebook. The embarrassment of this development is compounded for the company by the level of hostility evidenced in many of the replies to these postings. “Dont **** with the internet, its not only anonymous that hate STRATFOR [sic],” said one fairly typical response.


Related stories:

Army warns of ID theft from Stratfor hack

2011: The year of the breach


Just how the breach was accomplished is not yet clear, but one thing is fairly certain: It need not have happened.

Anonymous is an amorphous group with no fixed membership or agenda, so it is hard to say just what it is. But one thing it has never claimed to be is sophisticated. Its hacks for the most part have used exploits of known vulnerabilities, picking the low-hanging fruit from organizations that should have known better.

To use a hackneyed sports analogy, no matter how good you are, you will not be successful if you do not concentrate first on the basics of blocking and tackling — and avoiding turnovers.

This is sadly lacking in many organizations. Countless small organizations that consider themselves too unimportant to warrant a hacker’s attentions rely on security through obscurity. This is a dangerous gamble. Other organizations that should know better, such as Stratfor as well as the U.S. Senate and the CIA before it, for some reason have not done the basic job of clearing up the obvious weaknesses that can allow easy entrance.

Some of the very public attacks in the past year have been largely cosmetic, consisting of defacements and rummaging through files that are not particularly sensitive. But even these can carry a high price in cleanup and in damage to reputation.

For an organization such as Stratfor, engaged in security and intelligence analysis, the breach is doubly damaging, not even considering the credit card information it managed to lose.

Cleaning up known vulnerabilities and protecting against known exploits and threats will not ensure complete cybersecurity. As other events of the past year have shown, there is a real and ongoing danger from more sophisticated attacks such as advanced persistent threats that are not easily spotted and stopped. But even APTs will take the easy way into a system if one is available, turning to zero-day exploits only when necessary.

Paying attention to the basics and making sure that known, easy-to-exploit vulnerabilities are corrected or defended against is a necessary first step to adequate cybersecurity. It will raise the stakes for the bad guys by increasing the amount of effort needed to break in. It will reduce the attack surface as well as the number of attacks you really have to worry about.

This is not to say taking care of the basics is easy. It can be tedious and expensive and can distract IT teams from other priorities, and when the job is finished there still will be plenty of more vulnerabilities to worry about. But in the long run it is necessary if you expect to have any credibility.

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Wed, Jan 4, 2012 Cowboy Joe

I'd be careful about assumin' a lack of sophistication. They don't much need to show off their best quick-draw when the sheriff's standin' there with his iron holstered 'round his ankles.

Wed, Jan 4, 2012 saved-user

Once again, horses and riders are not named in this case. We all should know, that the hacked key-products come from the home of well developed "back-doors" called M$, and the mysterious hacker success is based on leaked "key-strings"!

Wed, Jan 4, 2012 don

The author deftly points out what many professionals already fear: So-called "Continuous Monitoring" is only a part of the equation to secure systems. There is no replacement for periodic certification and real independent testing of defense in depth. These facts tend to rule out cloud-vendors where sensitive data solutions are needed. Are we to sacrafice America's data because cloud-vendors lobbied extra hard to eliminate security hurdles to their profits?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above