Feeds

Stratfor slaps website back online after Anon mega-hack

CEO: Hacktivists can't silence us - and soz about the credit cards

SANS - Survey on application security programs

Stratfor has restored its website to normal operation on Wednesday, more than two weeks after a hack attack by Anonymous that made the global intelligence analyst firm a byword for information insecurity.

Members of Anonymous made off with stolen emails and credit-card data after breaking into Stratfor's chronically insecure website in early December, much earlier than previously acknowledged. The website, torched during the attack, was restored on Wednesday to normal operation, along with an apology of sorts from its chief exec for its poor pre-hack security.

Chief among Stratfor's mistakes was the failure to encrypt the credit card files that hacktivists stole and later dumped online. George Friedman, chief exec of Stratfor, blamed the rapid growth of the firm for this school boy error, which it has belatedly rectified.

The FBI made it clear that it expected the theft to be exposed by the hackers. We were under no illusion that this was going to be kept secret. We knew our reputation would be damaged by the revelation, all the more so because we had not encrypted the credit card files.

This was a failure on our part. As the founder and CEO of Stratfor, I take responsibility for this failure, which has created hardship for customers and friends, and I deeply regret that it took place. The failure originated in the rapid growth of the company. As it grew, the management team and administrative processes didn't grow with it.

The trickster hacktivists who hit Strafor not only stole its data but defaced its website and thrashed its systems, as Friedman explains.

With the credit card information stolen, I assumed that the worst was done. I was wrong.

Early in the afternoon of Dec 24, I was informed that our website had been hacked again. The hackers published a triumphant note on our homepage saying that credit card information had been stolen, that a large amount of email had been taken, and that four of our servers had been effectively destroyed along with data and backups. We had expected they would announce the credit card theft. We were dismayed that emails had been taken. But our shock was at the destruction of our servers. This attack was clearly designed to silence us by destroying our records and the website, unlike most attacks by such groups.

Strafor specialises in geopolitical analysis, but judging from Friedman's post it remains pretty much in the dark about the motives of the hackers who hit it with such force, beyond suggesting that they supposedly perceived Stratfor as the intelligence hub in a non-existent global conspiracy. Friedman suggests Anonymous was trying to silence it, defiantly boasting that these efforts have failed.

The attempt to silence us failed. Our website is back, though we are waiting for all archives to be restored, and our email is working again. Our failures have been reviewed and are being rectified. We deliberately shut down while we brought in outside consultants to rebuild our system from the ground up.

A video statement from Friedman can be found here.

Anonymous boasted of stealing Stratfor’s confidential client list as well as email spools and more than 4,000 credit card details after extracting 20GB of data from Stratfor's systems. One member boasted of plans to use the stolen credit card data to make donations to charities including the Red Cross. Such transactions are highly likely to be identified and reversed, potentially leaving charities worse off in the process (as a result of charge-back fees) but more likely just achieving a huge inconvenience all round.

Hacktivists threatened to release stolen emails but nothing much has come of this threat so far. Strafor provides intelligence services for law enforcement agencies, among others, making them target for anti-sec hacktivists, who enjoy exposing the security failings of infosec consultancies and FBI affiliates.

Various comments from the semi-official AnonymousIRC account gently mocked Stratfor's statement and Wednesday and mocked the supposed ability of the firm to keep its website available. "What's that? stratfor.com - Not able to keep up your site for just a few hours!?" Later the hacktivists added: "To avoid misinterpretations: we're NOT dosing #Stratfor. We just interpreted their statement. :)" ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.