Anonymous hack of intell company Stratfor was all too easy
- By William Jackson
- Jan 03, 2012
The year 2011 ended much like it began, with a high-profile breach by the hacktivist gadflies at Anonymous, who broke into the systems of the intelligence analysis company Strategic Forecasting, stole a lot of personally identifiable information, including credit card account data, and posted it online.
“We are currently investigating this unfortunate event and are working diligently to prevent it from ever happening again,” Stratfor said on its Web homepage.
Except for that notice, the website is down pending a security review and the company is communicating primarily via Twitter and Facebook. The embarrassment of this development is compounded for the company by the level of hostility evidenced in many of the replies to these postings. “Dont **** with the internet, its not only anonymous that hate STRATFOR [sic],” said one fairly typical response.
Army warns of ID theft from Stratfor hack
2011: The year of the breach
Just how the breach was accomplished is not yet clear, but one thing is fairly certain: It need not have happened.
Anonymous is an amorphous group with no fixed membership or agenda, so it is hard to say just what it is. But one thing it has never claimed to be is sophisticated. Its hacks for the most part have used exploits of known vulnerabilities, picking the low-hanging fruit from organizations that should have known better.
To use a hackneyed sports analogy, no matter how good you are, you will not be successful if you do not concentrate first on the basics of blocking and tackling — and avoiding turnovers.
This is sadly lacking in many organizations. Countless small organizations that consider themselves too unimportant to warrant a hacker’s attentions rely on security through obscurity. This is a dangerous gamble. Other organizations that should know better, such as Stratfor as well as the U.S. Senate and the CIA before it, for some reason have not done the basic job of clearing up the obvious weaknesses that can allow easy entrance.
Some of the very public attacks in the past year have been largely cosmetic, consisting of defacements and rummaging through files that are not particularly sensitive. But even these can carry a high price in cleanup and in damage to reputation.
For an organization such as Stratfor, engaged in security and intelligence analysis, the breach is doubly damaging, not even considering the credit card information it managed to lose.
Cleaning up known vulnerabilities and protecting against known exploits and threats will not ensure complete cybersecurity. As other events of the past year have shown, there is a real and ongoing danger from more sophisticated attacks such as advanced persistent threats that are not easily spotted and stopped. But even APTs will take the easy way into a system if one is available, turning to zero-day exploits only when necessary.
Paying attention to the basics and making sure that known, easy-to-exploit vulnerabilities are corrected or defended against is a necessary first step to adequate cybersecurity. It will raise the stakes for the bad guys by increasing the amount of effort needed to break in. It will reduce the attack surface as well as the number of attacks you really have to worry about.
This is not to say taking care of the basics is easy. It can be tedious and expensive and can distract IT teams from other priorities, and when the job is finished there still will be plenty of more vulnerabilities to worry about. But in the long run it is necessary if you expect to have any credibility.
William Jackson is freelance writer and the author of the CyberEye blog.