Author Topic: The Stratfor Hack: Unbelievable lack of security  (Read 5658 times)

0 Members and 1 Guest are viewing this topic.

Offline solarscreen

  • Klaatu Barada Nikto
  • Founder
  • Architect
  • *****
  • Posts: 631
  • The prodigal has returned...
The Stratfor Hack: Unbelievable lack of security
« on: June 13, 2014, 06:43:43 PM »
For those who find computer/network security interesting, this story will drive you crazy!  I have my own theory about this incident but I will let you read and comment first.

http://www.dailydot.com/politics/stratfor-verizon-report-security-flaws/
Technology - Home Theater - Astronomy - Pyrotechnics

Offline mariesalias

  • Founder
  • Trader
  • *****
  • Posts: 455
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #1 on: June 13, 2014, 09:37:38 PM »
I do not have any theories, but I find it deeply disturbing on multiple levels!

Offline salamander

  • Founder
  • Architect
  • *****
  • Posts: 624
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #2 on: June 14, 2014, 04:21:52 AM »
+1 @mariesalias

@solarscreen -- Didn't you say somewhere that you were in systems engineering or something similar?  I'm looking forward to hearing what you think about it.

Offline Kaldir

  • Founder
  • Trader
  • *****
  • Posts: 248
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #3 on: June 14, 2014, 04:39:59 AM »
I don't know this particular case, but my theory is that this is far from uncommon.

A few years back a dutch certificate autority, who also issued security certificates for the dutch government, was hacked and also had a huge lack of procedures and technical measures.
Just last month there was an article about two guys who found an old manual online for an ATM and managed to get into the inner system of one with the default password from the manual. Bank employees didn't believe them until they handed over printed proof from the ATM.

Where people work, security is often lowered or totally ignored, because security "hinders" in everyday work. Sadly, that also applies to security firms and firms that work with privacy sensitive data.


Edit: tyops again.  :-[
« Last Edit: June 14, 2014, 03:31:55 PM by Kaldir »

Offline solarscreen

  • Klaatu Barada Nikto
  • Founder
  • Architect
  • *****
  • Posts: 631
  • The prodigal has returned...
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #4 on: June 14, 2014, 07:45:05 AM »
Ok, here's my theory on this incident.

This was a live honeypot.

It was implemented to try to catch and shutdown high visibility hacker organizations and the real hackers that operate in them and not just the children who think they are hackers and play along or pretend they belong.

In security, a honeypot is a trap for spammers, hackers, and other malicious activities. 
The premise is simple - place a visible point of access to a known entity where it can receive attention. However, if it is accessed illegally the data found is fictitious and sometimes tagged for tracking.  This has been a counteraction against spammers and hackers for years.  The best/worst hackers know this, some of whom helped develop the processes used in them.

To determine if you have stumbled into a trap or a treasure trove, you need a point man to make the first access, grab information, and determine if the data is legit or bogus.  In this incident, Stratfor was actually hacked two weeks before and a point man verified the data and passed that over to the hacker group. 

If you look at the aftermath of this incident, unlike many hacks in the past, several key players were arrested and at least one group was effectively shut down.

Now, we have seen poor security before and have seen the results of that poor security result in high profile hacks.  Hackers find a few vulnerabilities or socially engineer access to key accounts or physically gain access to a system that has access to the internal network they want into. 

This hack is different in one key way: It had every door wide open; every level of security was absent or compromised in ways that have been exposed and detailed for many years. Every basic security course teaches these failures and experienced IT professionals are well aware of them. 

How could ANY global, high visibility intelligence provider who uses a payment system for subscription to their services fail on every level?

The system that governs credit card purchasing has 12 primary security processes of which Stratfor only implemented 3. Typically a review of any given implementation may find errors in one or two of these processes but not a complete absence of NINE of them.  This is negligence in the extreme and would require an improbable level of ignorance or outright criminal behavior.

In the case of the Target Department Store hack, the CIO was not originally an IT professional but rather a corporate executive who was moved into the CIO position.  Can executives make good decisions in fields they are not necessarily experts in? Sure, but in IT it's doubtful. I have been in IT for 35 years and I can tell you it's improbable. This is why a have HUGE problem with businesses moving their IT organizations under the CFO and eliminating the CIO position.  CFOs might be awesome with numbers and accounting systems but that's a high level system that rides on top of a very dynamic and complex foundation of technology.  This is why so many companies now are 3 to 10 years behind in their tech implementations and are vulnerable to the most basic of attacks.

The Stratfor CIO has been in technology for years. Here's an excerpt of his bio:

...spent 20 years in IT leadership roles at a variety of major firms, including The Weather Channel, Circuit City, Delta Airlines, and Electronic Data Systems where he developed robust e-commerce and interactive web strategies as well as led the implementation of state-of-the art information technology systems...

He knows what is required.

Let's look at the aftermath of this hack.  Higher level hackers arrested, hacking organizations penetrated or shutdown, minimal lawsuit damages.  Hmmm... sounds like a live honeypot to me.

Those who lost money or had their accounts compromised were reimbursed and probably given support to clear up ID compromises and issues.  Was it ethical to use live bait?  Did the hacking victims know before hand?  To make this look tempting and not expose the trap or the processes used in the trap, a class action lawsuit was used to "force" repayment of losses and damages.  This keeps everything looking like a real hack and not a real trap.  The victims may have signed NDAs to protect the processes used in this incident.

Until businesses and organizations stop using obsolete and inadequate systems and philosophies, cybercrime will continue.  The methods used to find, track, and capture cybercriminals will change to try to stay a half a step ahead.

If I'm wrong, this is the single most negligent, ignorant, criminal corporate failure in the history of mankind.  Yet, the lawsuit damages were only 1.5 million? The company is still in business?  No corporate executives went to jail?

Yeah, right.  Sure.  ;)
Technology - Home Theater - Astronomy - Pyrotechnics

Offline Kaldir

  • Founder
  • Trader
  • *****
  • Posts: 248
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #5 on: June 14, 2014, 12:15:58 PM »
@solarscreen: I highly doubt your theory, although it sounds more exciting than mine. :D

When I read that news article you linked to, all I thought was: "This is only news because a former vice president is involved". The rest is all default every day news: stolen personal data, stolen credit card numbers, bad security, etc.

Stratfor exists for almost 20 years. Why make it into a honeypot and risk breaking a company? Unless you mean it was first hacked by the government to implement the honeypot, but that would not explain the lack of procedures and simple technical security measures.

You say several hackers were arrested for this in the aftermath. My guess is that it has everything to do with that vice president and other "important" people that were victims (they had to get results), and with that hacker-turned-informant-turned-hacker (someone already in their power).

Another article for instance states:
Quote
For most of the year and a half that he awaited trial, Brown was charged with threatening an FBI agent, conspiring to hide his potentially evidence-bearing laptops, and sharing a link to credit card data publicized during the hack of the private intelligence firm Stratfor. Free speech advocates, such as the Committee to Protect Journalists and Reporters Without Borders, called the allegations payback for his journalism.
This suggests someone was victimized because results were needed in the investigation. Ofcourse, this is all just speculation, but still.
And they had a well informed hacker in their pocket, that already helped arrest some in a previous case.

How could ANY global, high visibility intelligence provider who uses a payment system for subscription to their services fail on every level?

Check the Diginotar hack of 2011 for instance. Main difference is that that firm went bankrupt (only that business unit of the firm, actually).
Or check this article, about two 14 year olds "hack" into an ATM using nothing more than a manual found online and the default password from that manual. We're talking about a bank here, securing stacks of money with a factory-default password, opening up possible skimming of cards used in that ATM.
And there are many more cases of unbelievable negligence and stupidity.
There's evidence/rumours suggesting something basic and stupid as sharing passwords was even used within the NSA, which is supposed to be the top intelligence organisation.

You say the CIO knows what is required. I don't read that in his bio. Sure, he's been in technology for a long time, but his focus has been user experience, software development and management. None of the 25 skills mentioned on his LinkedIn profile has a security focus. And that is key here, I think. I know way to many good software developers (and way too few good IT managers), but hardly any who have even a slight focus on security.

I think this was just another usual case of bad security, happening everywhere all the time. Nothing special here.

Until businesses and organizations stop using obsolete and inadequate systems and philosophies, cybercrime will continue.  The methods used to find, track, and capture cybercriminals will change to try to stay a half a step ahead.

In my opinion, this is naive. As long as there are large amounts of money, power or status at stake, cybercrime will continue. By criminal hackers, by hacktivists, by over-curious teenagers, and last but not least, by governments.

Cybercrime is here to stay, no matter how serious the security measures are (they do help though, to get the total amount down). A hacker only needs one entry point to succeed. A security officer needs to close all possible entry points. One slip, one moment of carelessness, and it's game over. This will always give the hackers the advantage.


Edit: minor tyops and grammer isues
« Last Edit: June 14, 2014, 12:26:51 PM by Kaldir »

Offline solarscreen

  • Klaatu Barada Nikto
  • Founder
  • Architect
  • *****
  • Posts: 631
  • The prodigal has returned...
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #6 on: June 14, 2014, 02:00:33 PM »
@Kaldir like I said, I have been in the IT industry for over 30 years and NO company has every failed on so many levels that are obvious to anyone with any IT business training.

You say you don't see anything in the CIOs bio to make you think he knows anything?

Circuit City
Delta Airlines
EDS

If you have run IT for these companies, you know security, you know secure systems and I don't recall these ever been hacked. They are all three prime targets.

Reread where the security failed for this company. Here's the top 5 just to begin with.

1. NO FIREWALLS
2. NO ANTIVIRUS / ANTIMALWARE software or systems
3. NO PASSWORD POLICY
4. Private information stored in PLAINTEXT
5. Failed 9 of 12 secure practices for point of sales systems

These are all MAJOR fails in Security 101.  Show me any other hack that had ALL doors wide open with NO security at all.
No, this was not like any other hack.  The largest hack in history at Target was not even this easy.  They are still investigating who did that.

Nearly all cybercrime occurs from very simple failures that could have been prevented by a proper program of corporate security. I have written them, implemented them, and seen them work rock solid.  It is possible, but obsolete systems, lazy executives, and apathetic employees make it very easy to rip us off.
« Last Edit: June 14, 2014, 02:03:11 PM by solarscreen »
Technology - Home Theater - Astronomy - Pyrotechnics

Offline solarscreen

  • Klaatu Barada Nikto
  • Founder
  • Architect
  • *****
  • Posts: 631
  • The prodigal has returned...
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #7 on: June 14, 2014, 02:10:52 PM »
In any event,  security professionals should study this and everyone on the internet could learn something from this as well.

Technology - Home Theater - Astronomy - Pyrotechnics

Offline mariesalias

  • Founder
  • Trader
  • *****
  • Posts: 455
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #8 on: June 14, 2014, 02:58:05 PM »
Both of your arguments sound plausible to me.

I really was appalled at the complete lack of security when I read the article. And surprised that the lawsuit was for so little and that the company seemed to suffer so little for it.

On the other hand, know people in IT and know how lax security can be at times in some organizations where security is so important.


As a layman, I have little to contribute to the conversation, but I find both of your arguments compelling. Even if @solarscreens's theory was not the case in this particular incident, I suspect it is only a matter of time until such measures will have to be used. Unfortunately, I would not be surprised if @Kaldir's theory proved to be correct, and no doubt has been correct for other incidents similar to this. Though the degree of laxness in this one really is mind-boggling. 

In either case, I still find the incident very disturbing, though for different reasons. 

Offline Kaldir

  • Founder
  • Trader
  • *****
  • Posts: 248
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #9 on: June 14, 2014, 03:21:50 PM »
@Kaldir like I said, I have been in the IT industry for over 30 years.

Okay, you beat me there. I've only been working in IT for 20 years. :D
Ten years before that I did create some IT course material for the school my mum worked at. Does that count as working in IT?  :P

Nearly all cybercrime occurs from very simple failures that could have been prevented by a proper program of corporate security. I have written them, implemented them, and seen them work rock solid.  It is possible, but obsolete systems, lazy executives, and apathetic employees make it very easy to rip us off.

Have you ever implemented a system that uses OpenSSL? A 'no' would surprise me with you experience. And as good as all those systems were vulnerable to hacks, with two major flaws discovered the last few months.
If you believe any security program to work rock solid without bugs and flaws, you're only fooling yourself (and those you work for). Nonetheless, security could improve seriously, preventing the majority of hacks and data loss. But not all.

Security is always a compromise between cost and risk. If you park your car, it would be safer to leave an armed guard there to prevent car theft while you go shopping. You don't do that because it's inconvenient, costly and the risk of theft is small (and you are insured). Computer security works the same. Nothing is or ever can be 100% secure.

You say you don't see anything in the CIOs bio to make you think he knows anything?

Circuit City
Delta Airlines
EDS

If you have run IT for these companies, you know security, you know secure systems and I don't recall these ever been hacked. They are all three prime targets.

He worked for all those companies more than 15 years ago. And in application development. Security and application development have only recently been mixed much (and not enough by large). Back then, security was something added afterwards (if at all), and usually by system and netwerk admins, not developers.

These are all MAJOR fails in Security 101.  Show me any other hack that had ALL doors wide open with NO security at all.
No, this was not like any other hack.
[...] NO company has every failed on so many levels that are obvious to anyone with any IT business training

Ow yes, the fails are pretty big. But not uncommon (except for the misplaced firewall, that is head-on-desk stupid) in my opinion. Stupidity sometimes just happens. I don't see a reason to think it was brilliance instead of plain stupidity.
I know plenty of companies without a password policy, and even more without antimalware on their servers (too much impact on performance). I also know a lot of companies with a bad IT department that has no clue about their own VPN and firewall solutions.

If you read Verizon's recommendations (page 48), they don't sound seriously disturbing either. It's mostly about more auditing/monitoring, with better network segmentation and additional encryption. If you just read the recommendations, I don't see a reason to immediately fire the CIO or IT personnel. Verizon doesn't seem to be too concerned here.

Remember, this isn't some major bank. It's not even a big company. It is just a small consulting firm (between 50 and 200 employees), which outsourced all payment processing of their e-commerce services. The IT department will probably be quite small.

The only reason this is big news, is because of the high profile customers that fell victim to it's security failures.
« Last Edit: June 14, 2014, 03:23:53 PM by Kaldir »

Offline Kaldir

  • Founder
  • Trader
  • *****
  • Posts: 248
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #10 on: June 14, 2014, 03:29:22 PM »
Even if @solarscreens's theory was not the case in this particular incident, I suspect it is only a matter of time until such measures will have to be used.

These kind of honeypots are already used. Some illegal download sites are run by the government, for instance, to catch and persecute prosecute uploaders.

Unfortunately, I would not be surprised if @Kaldir's theory proved to be correct, and no doubt has been correct for other incidents similar to this. Though the degree of laxness in this one really is mind-boggling.

Using a factory default password on an ATM is similarly mind-boggling in my opinion.

In either case, I still find the incident very disturbing, though for different reasons.

That is good. The more people are disturbed by incidents like these, the more security will be tightened and the less people will try to work around security.
« Last Edit: June 14, 2014, 03:55:45 PM by Kaldir »

Offline slink

  • Founder
  • Banished Expert
  • *****
  • Posts: 1222
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #11 on: June 14, 2014, 03:42:00 PM »
@Kaldir, I believe you mean "prosecute" rather than "persecute".

Offline solarscreen

  • Klaatu Barada Nikto
  • Founder
  • Architect
  • *****
  • Posts: 631
  • The prodigal has returned...
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #12 on: June 14, 2014, 03:43:48 PM »
Yeah, the latest flaws in OpenSSL appear to have existed since the late 1990s.  Yes, I have worked on systems with open source although I don't prefer it because of exactly what happened with OpenSSL and reading I have done on how to exploit open source software that will pass everyone's inspection.  Most of my work has been in the Microsoft world with some sideways expansions into Oracle, Solaris, and VMWare.

No, the company was no giant or bank but a good choice to use in my theory. Just far enough off the path of rigorous policies and protections to warrant a look see by hackers to see if they could get some prime financial account access.  That's why I still think it made a good place to try a Live Bait trap.

With my OpenSSL implementation work, the systems were so far away from being accessible, it almost did not matter that it was flawed and buried under many layers of security to even get to it.

Rock solid security is a dynamic system that always changes and responds to any activity with hands on examinations occurring daily and analysis at several levels.  Expensive with dedicated personnel but also possible.

But it's much like a locked house or car. Most of the time, it's too much trouble for those in a hurry or not serious.  There are still those who are capable enough and patient enough to get in if they want to.


Technology - Home Theater - Astronomy - Pyrotechnics

Offline solarscreen

  • Klaatu Barada Nikto
  • Founder
  • Architect
  • *****
  • Posts: 631
  • The prodigal has returned...
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #13 on: June 14, 2014, 03:44:52 PM »
Hmm, maybe Freud was telling me persecute is better!

Yeah, default passwords are EVERYWHERE!  Ridiculous.
Technology - Home Theater - Astronomy - Pyrotechnics

Offline Kaldir

  • Founder
  • Trader
  • *****
  • Posts: 248
Re: The Stratfor Hack: Unbelievable lack of security
« Reply #14 on: June 14, 2014, 03:59:23 PM »
I'm in the Microsoft and VMware world as well, but those OpenSSL bugs hit our VMware (but those ESX servers are not accessible by anyone except IT) and Juniper devices as well. Especially the VPN appliance was a nasty one to get hit by that. And several webservices on our boxes have some version of OpenSSL in them.

I guess we will never truely know if your theory was right or not. This kind of information seldomly goes above the speculation level.


Persecute and Prosecute sound too similar for me to remember, and Google translates them to the same Dutch word. I had to look up the definitions to see what you meant. Thanks for pointing it out, @slink.
I'm often not entirely sure if what I write is proper English, or just Dutch with English sounding words and grammar. It's never too late to learn and improve. :-)